[Snort-users] Newbie question: reject rule for IPv6

K b urbestfriend at ...11827...
Mon Dec 12 04:01:22 EST 2011


After debugging the snort using gdb, I found out the problem.

Apparently I haven't specified -Q option as part of command line
argument and some how "daq-mode: inline" in snort.conf is being
ignored only when proto is set to ipv6.

Thanks,
Kumar

On Mon, Dec 12, 2011 at 12:24 PM, K b <urbestfriend at ...11827...> wrote:
> Just to add some more info.
>
> I tried ipq too without any success. But If I run my web server on an
> IPv4 address and run snort in ip4 mode, I see that request gets
> blocked.
> I am wondering whether I have missed some step for Ipv6 or do I need
> to change the rule for IPv6?
>
>
>
>
> On Sun, Dec 11, 2011 at 4:09 PM, K b <urbestfriend at ...11827...> wrote:
>> JJ,
>>
>> I am using following command to start snort.
>>
>> snort -c  /etc/snort.conf -N -D
>>
>> Also I have set following parameters in snort.conf.
>>
>> config daq: nfq
>> config daq_mode: inline
>> config daq_var: proto=ip6
>> config daq_dir:<dir>
>>
>> Note that I have built both daq and snort with --ipv6-enabled option.
>>
>> My ip6table:
>>
>> -A INPUT -d <ip_address>/128 -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 0
>>
>> The setup  works fine as I am seeing alerts getting logged when I send
>> a http request with URI contains "snort-test", but unfortunately the
>> request is not getting rejected ( No ICMP6 unreachable ) as it
>> should've been and request is going through.
>>
>> In fact I tried 'drop' too , without any success. Can someone point
>> out the code where ICMP unreachable is sent ? I tried to debug daq and
>> always verdict to NFQUEUE is set as NF_ACCEPT.
>>
>> Thanks for the response.
>>
>> Regards,
>> Kumar
>>
>>
>> On Sat, Dec 10, 2011 at 9:16 PM, JJ Cummings <cummingsj at ...11827...> wrote:
>>> What does your iptables look like and what is your snort startup command line? Also, use drop, not reject.
>>>
>>> Sent from the iRoad
>>>
>>> On Dec 9, 2011, at 5:48, K b <urbestfriend at ...11827...> wrote:
>>>
>>>> Hello,
>>>>
>>>> A newbie here and I was trying to setup snort inline with NFQ for IPv6
>>>> services.  Just for testing I have added the following reject rule.
>>>>
>>>> reject tcp any any -> any 80 (classtype:attempted-user;
>>>> msg:"Snort_test"; content:"snort-test"; sid:9000001; rev:1;)
>>>>
>>>> Now If I send a traffic with the above content, I see that alerts are
>>>> getting generated but this requests is not being reset as expected.
>>>>
>>>> I am running snort 2.9.1.2, my snort.conf is unchanged. What am I doing wrong?
>>>>
>>>> Have a good day.
>>>>
>>>> Thanks and regards,
>>>> Kumar
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Learn Windows Azure Live!  Tuesday, Dec 13, 2011
>>>> Microsoft is holding a special Learn Windows Azure training event for
>>>> developers. It will provide a great way to learn Windows Azure and what it
>>>> provides. You can attend the event by watching it streamed LIVE online.
>>>> Learn more at http://p.sf.net/sfu/ms-windowsazure
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list