[Snort-users] Unable to run Snort in IPS mode

Sharma, Ashish ashish.sharma3 at ...6440...
Fri Feb 26 04:17:43 EST 2010


Russ,

Thanks a lot in pointing out my mistake.

Got it working now :) in inline mode.

Thanks
Ashish Sharma

From: Russ Combs [mailto:rcombs at ...1935...]
Sent: Thursday, February 25, 2010 8:36 PM
To: Sharma, Ashish
Cc: Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

OK, taking another look at your SnortMake.logs, another possibility is that you didn't `make clean` before rerunning configure & make.  Try doing that and see if you get "inline" with `snort -V`.

Russ
On Thu, Feb 25, 2010 at 9:07 AM, Sharma, Ashish <ashish.sharma3 at ...6440...<mailto:ashish.sharma3 at ...6440...>> wrote:
Russ,

Sorry for earlier goof up.

Attached is my 'config.log'

I ran following:

[root at ...14789... src]# /root/snortinstall/snort-2.8.5.2/src/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.2 (Build 121)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

As you can see I am checking the compiled binary , prepared by 'make', right in the 'src' folder.

Or
Is there any other location where compiled binary is after executing 'make'.

So installing and running the wrong binary should not come in picture.

Please reply.

Thanks in advance

Ashish Sharma
From: Russ Combs [mailto:rcombs at ...1935...<mailto:rcombs at ...1935...>]
Sent: Thursday, February 25, 2010 7:16 PM

To: Sharma, Ashish
Cc: Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

Ashish,

Your `snort -V` doesn't indicate an inline build.  Where you have:

  Version 2.8.5.2 (Build 121)

you should see "inline", like this:

    Version 2.8.5 GRE (Build 124) inline
That is why I'd like to see the configure statement from the top of the file "config.log" in the directory where you build.  Here is what it might look like:

    ... Invocation command line was

    $ ./configure --enable-dynamicplugin --enable-gre --enable-inline ...

If you see --enable-inline there, you must be executing a different snort.  Try running `which snort` to see if the full path is what you expect.

Regards
Russ


On Thu, Feb 25, 2010 at 2:10 AM, Sharma, Ashish <ashish.sharma3 at ...6440...<mailto:ashish.sharma3 at ...6440...>> wrote:
Russ,

I ran the following configure statement:

# ./configure --enable-inline

The output of this command is attached in the file : 'config.logs'

Then I ran the command:
# libtool --finish /usr/local/lib/snort_dynamicpreprocessor
The output of above command is attached in file : 'libtool.logs'

Then I ran the command:
# make
The output of above command is attached in file : 'SnortMake.logs'

Then I ran the command:
#make install
The output of above command is attached in file : 'SnortInstall.logs'

On running command:
#snort  -V

I get:
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.2 (Build 121)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

On running Command:
# snort -V -k None -K None -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l /var/log/snort
I get:

Enabling inline operation

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.2 (Build 121)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.8 2008-09-05

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build 17>
           Rules Object: web-misc  Version 1.0  <Build 1>
           Rules Object: web-client  Version 1.0  <Build 1>
           Rules Object: sql  Version 1.0  <Build 1>
           Rules Object: smtp  Version 1.0  <Build 1>
           Rules Object: p2p  Version 1.0  <Build 1>
           Rules Object: nntp  Version 1.0  <Build 1>
           Rules Object: netbios  Version 1.0  <Build 1>
           Rules Object: multimedia  Version 1.0  <Build 1>
           Rules Object: misc  Version 1.0  <Build 1>
           Rules Object: imap  Version 1.0  <Build 1>
           Rules Object: exploit  Version 1.0  <Build 1>
           Rules Object: dos  Version 1.0  <Build 1>
           Rules Object: chat  Version 1.0  <Build 1>
           Rules Object: bad-traffic  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>

My latest 'snort.conf' is also attached.

Please reply if you need any more information.

Thanks in advance
Ashish Sharma

From: Russ Combs [mailto:rcombs at ...1935...<mailto:rcombs at ...1935...>]
Sent: Wednesday, February 24, 2010 10:45 PM
To: Sharma, Ashish
Cc: Seth Art; Snort Users List

Subject: Re: [Snort-users] Unable to run Snort in IPS mode

Hmmm ... if Snort isn't starting with "reject" or "sdrop" rules then maybe it wasn't actually built with --enable-inline.

Can you post the configure statement at the top of your config.log and the output from snort -V?
On Wed, Feb 24, 2010 at 10:16 AM, Sharma, Ashish <ashish.sharma3 at ...6440...<mailto:ashish.sharma3 at ...6440...>> wrote:
Seth,

Since I am testing on a Single machine on LAN, I replicated my Snort setup on a non virtual machine of Fedora 10, there too the problem persists.

Packets are not getting dropped just 'console' outputs are generated.

Also snort doesn't start with local rules of 'reject' or 'sdrop' kind.

I have followed this for reference:

'http://openmaniak.com/inline_final.php'

Please help!!!!

Ashish Sharma

-----Original Message-----
From: Seth Art [mailto:sethsec at ...11827...<mailto:sethsec at ...11827...>]
Sent: Tuesday, February 23, 2010 8:45 PM
To: Sharma, Ashish
Cc: Nigel Houghton; Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

Is the virtual snort actually inline, or is it dropping a COPY of the
traffic?  You can test this with some iptables rules.  Block the
traffic with some FW rules on the snort box and see if the traffic
STILL gets to the destination.

-Seth

On Tue, Feb 23, 2010 at 9:29 AM, Sharma, Ashish <ashish.sharma3 at ...6440...<mailto:ashish.sharma3 at ...6440...>> wrote:
> Nigel,
>
> No success :(
>
> My machine is Fedora Core 10 virtual machine, running on sun virtual Box.
>
> My rules in 'local.rules' are as:
>
> 'drop tcp any any -> 16.150.17.4 80 (msg: "Test web activity";sid:1000001;)
> drop icmp any any -> 16.150.17.4 any (msg: "Test ping activity";sid:1000002;)'
>
> I am running 'snort' by this command:
>
> 'snort -k none -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l /var/log/snort'
>
> Console output is as:
>
> ' 02/23-19:57:13.288720  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:13530<http://16.213.0.37:13530/> -> 16.150.17.4:80<http://16.150.17.4/>
> 02/23-19:57:13.288812  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:13402<http://16.213.0.37:13402/> -> 16.150.17.4:80<http://16.150.17.4/>
> 02/23-19:57:47.034571  [Drop] [**] [1:1000002:0] Test ping activity [**] [Priority: 0] {ICMP} 16.150.18.130 -> 16.150.17.4'
>
> Put packets are not getting dropped and replies to above request are being received successfully. This should not happen :( right.
>
> With regards
> Ashish Sharma
>
>
> -----Original Message-----
> From: Nigel Houghton [mailto:nhoughton at ...1935...<mailto:nhoughton at ...13572...5...>]
> Sent: Tuesday, February 23, 2010 7:00 PM
> To: Sharma, Ashish
> Cc: Snort Users List
> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>
> On Tue, Feb 23, 2010 at 2:15 AM, Sharma, Ashish <ashish.sharma3 at ...14781....<mailto:ashish.sharma3 at ...6440...>> wrote:
>> Nigel,
>>
>> No success with your suggested idea.
>>
>> Attached is my 'local.rules' file.
>>
>> My uncommented rule is as:
>> 'drop tcp any any -> 16.150.17.4 80 (msg: "Test web activity";sid:1000001;)'
>>
>> I launch my 'snort' with the following command:
>>
>> 'snort -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l /var/log/snort'
>>
>> Now whenever I try to access a web page hosted on a web server on the same machine (on which snort is hosted), I get following kind of console output:
>>
>> ' 02/23-12:28:04.537751  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763<http://16.213.0.37:5763/> -> 16.150.17.4:80<http://16.150.17.4/>
>> 02/23-12:28:04.538713  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763<http://16.213.0.37:5763/> -> 16.150.17.4:80<http://16.150.17.4/>
>> 02/23-12:28:04.935699  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763<http://16.213.0.37:5763/> -> 16.150.17.4:80<http://16.150.17.4/>
>> 02/23-12:28:05.263633  [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763<http://16.213.0.37:5763/> -> 16.150.17.4:80<http://16.150.17.4/>'
>>
>> Here I am able to access my web page from any other foreign machine, but this should not happen with 'Drop' rule of this kind , I should not be able to access my web page in first place when snort is running in 'inline' mode.
>>
>> Moreover I had to comment other 'reject' and 'sdrop' rules since 'snort' fails to identify them (Please look into my first message for console output for this error).
>>
>> Thanks
>> Ashish Sharma
>>
>>
>> -----Original Message-----
>> From: Nigel Houghton [mailto:nhoughton at ...1935...<mailto:nhoughton at ...13703...35...>]
>> Sent: Monday, February 22, 2010 9:16 PM
>> To: Sharma, Ashish
>> Cc: Snort Users List
>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>>
>> On Mon, Feb 22, 2010 at 9:22 AM, Sharma, Ashish <ashish.sharma3 at ...14783.....<mailto:ashish.sharma3 at ...6440...>> wrote:
>>> Nigel,
>>>
>>> One of my drop rules in 'local.rules' is of following type:
>>> 'drop icmp any any -> xxx.xxx.xxx.xxx any (msg: "Test ping activity";sid:1000002;)'
>>>
>>> Here my intention is to drop any packet that is received for ICMP ping activity, but actually when I run my 'snort',
>>> And 'Ping' on the destination machine only alerts are logged and I receive the response of my 'Ping' command too.
>>>
>>> But I expect this should not happen with 'drop' rule, no response should be received for this case.
>>>
>>> Thanks
>>> Ashish Sharma
>>>
>>> -----Original Message-----
>>> From: Nigel Houghton [mailto:nhoughton at ...1935...<mailto:nhoughton at ...391...935...>]
>>> Sent: Monday, February 22, 2010 7:42 PM
>>> To: Sharma, Ashish
>>> Cc: Snort Users List
>>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>>>
>>> On Mon, Feb 22, 2010 at 8:37 AM, Sharma, Ashish <ashish.sharma3 at ...14784......<mailto:ashish.sharma3 at ...6440...>> wrote:
>>>> Rmkml,
>>>>
>>>> Please find attached my 'local.rules' file.
>>>>
>>>> Thanks
>>>> Ashish Sharma
>>>>
>>>> -----Original Message-----
>>>> From: rmkml [mailto:rmkml at ...953...<mailto:rmkml at ...953...>]
>>>> Sent: Monday, February 22, 2010 6:49 PM
>>>> To: Sharma, Ashish
>>>> Cc: rmkml at ...953...<mailto:rmkml at ...953...>
>>>> Subject: RE: [Snort-users] Unable to run Snort in IPS mode
>>>>
>>>> ok thx you Sharma,
>>>> could you send local.rules please?
>>>> Regards
>>>> Rmkml
>>>>
>>>>
>>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>>>>
>>>>> Rmkml,
>>>>>
>>>>> First of all thanks for helping.
>>>>>
>>>>> I don't think there is any problem with command formatting or 'RULE_PATH' variable error.
>>>>>
>>>>> Reason being that when I comment out the 'reject' and 'sdrop' rules from 'local.rules' file and only 'drop' rules are there, then 'Snort' is able to run fine and alerts are generated and logged.
>>>>>
>>>>> For your reference my 'Snort.conf' is attached.
>>>>>
>>>>> Thanks for helping again.
>>>>>
>>>>> Ashish Sharma
>>>>>
>>>>> -----Original Message-----
>>>>> From: rmkml [mailto:rmkml at ...953...<mailto:rmkml at ...953...>]
>>>>> Sent: Monday, February 22, 2010 5:15 PM
>>>>> To: Sharma, Ashish
>>>>> Cc: rmkml at ...953...<mailto:rmkml at ...953...>
>>>>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>>>>>
>>>>> Hi Sharma,
>>>>> you start snort with cmd line:
>>>>>  'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>>>>> please remove space like ... -c /etc/snort/snort.conf ...
>>>>> on your snort.conf, what is RULE_PATH variable contains please? or send
>>>>> snort.conf...
>>>>> Regards
>>>>> Rmkml
>>>>>
>>>>>
>>>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have a fedora core 10 virtual machine running on a sun virtual box.
>>>>>>
>>>>>> I am trying to run Snort on this machine in IPS mode.
>>>>>>
>>>>>> I followed the following steps (I had already installed the prerequisites for Snort IPS):
>>>>>>
>>>>>> 1. Downloaded 'snort-2.8.5.2.tar.gz'
>>>>>> 2. Extracted the binaries.
>>>>>> 3. did './configure --enable-inline'
>>>>>> 4. did 'make'
>>>>>> 5. did 'make install'
>>>>>> 6. copied snort rules and snort conf at appropriate location.
>>>>>> 7. executed the following command :
>>>>>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>>>>>> 8. Snort launches with the traces :
>>>>>>
>>>>>> Enabling inline operation
>>>>>> Running in IDS mode
>>>>>>
>>>>>> --== Initializing Snort ==--
>>>>>> Initializing Output Plugins!
>>>>>> Initializing Preprocessors!
>>>>>> ..................................
>>>>>>
>>>>>> Initializing rule chains...
>>>>>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type: reject.
>>>>>> Fatal Error, Quitting..
>>>>>>
>>>>>> 8. As you can see I have a test rule in local.rule that have a 'reject' rule in it but snort is not accepting it, same is the case for 'sdrop' rule also.
>>>>>>
>>>>>> 9. What is the problem , please help!!!!!
>>>>>>
>>>>>> What should I do in all to let my Snort run in IPS mode
>>>>>>
>>>>>> Thanks in advance
>>>>>>
>>>>>> Ashish Sharma
>>>>>>
>>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Download Intel® Parallel Studio Eval
>>>> Try the new software tools for yourself. Speed compiling, find bugs
>>>> proactively, and fine-tune applications for parallel performance.
>>>> See why Intel Parallel Studio got high marks during beta.
>>>> http://p.sf.net/sfu/intel-sw-dev
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...5870....net>
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>
>>>
>>> You have compiled Snort with --enable-inline. Your snort.conf looks
>>> fine. The rules you have need to use the "drop" keyword instead of
>>> "alert" so that they will drop the traffic in inline mode.
>>>
>>> So your two rules would become:
>>>
>>> drop tcp any any -> 16.150.17.4 25 (msg: "Test activity"; sid:1000003;)
>>> drop tcp any any -> 16.150.17.4 3310 (msg: "Test activity"; sid:1000004;)
>>>
>>> --
>>> Nigel Houghton
>>> Head Mentalist
>>> SF VRT
>>> http://vrt-sourcefire.blogspot.com<http://vrt-sourcefire.blogspot.com/> && http://labs.snort.org/
>>>
>>
>>
>> Your drop rule is commented out, so it is not active. Please try what
>> I told you to try and report back. Thanks.
>>
>> --
>> Nigel Houghton
>> Head Mentalist
>> SF VRT
>> http://vrt-sourcefire.blogspot.com<http://vrt-sourcefire.blogspot.com/> && http://labs.snort.org/
>>
>
>
> Now we are getting somewhere. Since your snort installation is on the
> same machine you are sending packets to, try adding the "-k none"
> option to the command line. See if that fixes your problem and report
> back.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com<http://vrt-sourcefire.blogspot.com/> && http://labs.snort.org/
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3893...t>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100226/b6e9d8b6/attachment.html>


More information about the Snort-users mailing list