[Snort-users] Snort with NFQUEUE allows everything (even unopened ports)

Russ Combs rcombs at ...1935...
Fri Mar 30 14:48:14 EDT 2012


Try using a drop rule instead of alert.  And the DAQ mode and Snort mode
aren't the same thing.  Try adding -Q too.

On Fri, Mar 30, 2012 at 2:29 PM, Amm Snort <ammdispose-snort at ...131...>wrote:

> Hello all,
>
> I have setup snort with DAQ NFQUEUE.
>
> My problem is inspite of firewall rule to block all ports, system starts
> allowing ALL THE PORTS.
>
> Without SNORT/NFQUEUE, blocking happens perfectly fine.
>
> So either I am making a STUPID mistake (I hope so) otherwise there is a
> serious SECURITY issue.
>
> System:
> Fedora 16 (64 bit)
> Snort version 2.9.2.2 (compiled from src rpm at
> http://www.snort.org/snort-downloads)
> Daq version 0.6.2 (compiled from src rpm at
> http://www.snort.org/snort-downloads with NFQ enabled)
>
> snort.conf summary:
>
> #monitor connection to LAN and DSL IP (dynamic)
> ipvar HOME_NET [192.168.1.0/24,1.2.0.0/16]
>
> config daq: nfq
> config daq_mode: inline
> config daq_dir: /usr/lib64/daq
>
> Command line:
>
> snort  -A fast -b -d -u snort -g snort -c /etc/snort/snort.conf -l
> /var/log/snort
>
> (no interface specified, -Q not needed as config daq_mode set to inline)
>
> Rule File: (just one rule for testing)
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP Hydra
> Activity Detected"; flow:to_server,established; content:"hydra"; nocase;
> pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,
> www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;)
>
> IPTABLES:
>
> iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
> iptables -I OUTPUT 1 -p tcp -o ppp1 -j NFQUEUE
>
> (rule triggers alert on sending "EHLO hydra" - hence setup seems to be
> running fine)
>
>
> Now THE SERIOUS PROBLEM:
>
> As shown below, my iptables INPUT chain allows connection ONLY on port 22.
>
> 1) iptables -nvL INPUT (on snort system)
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>   274  146K NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0
> 0.0.0.0/0            NFQUEUE num 0
>     0     0 ACCEPT     tcp  --  ppp1   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:22
> 17344  816K REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            reject-with icmp-host-prohibited
>
> 2) telnet 1.2.3.4 25 (from some remote machine)
>
> Trying to connect to port 25 of SNORT machine from some remote machine.
>
> Trying 1.2.3.4...
> Connected to XXXXX.
> Escape character is '^]'.
> 220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:17:42 +0530
>  >>>> How did it connect to port 25???
> ehlo hydra
> ....
>
> 3) tail -1 /var/log/snort/alert
>
> 03/30-23:17:46.056165  [**] [1:100000167:1] GPL SMTP SMTP Hydra Activity
> Detected [**] [Classification: Misc Attack] [Priority: 2] {TCP}
> 2.2.2.2:35256 -> 1.2.3.4:25
>
> (which means snort detected the hydra activity as expected)
>
> 4) iptables -D INPUT 1 -p tcp -i ppp1 -j NFQUEUE
>
> Delete the NFQUEUE rule. i.e. disable SNORT inspection
>
> 5) telnet 1.2.3.4 25 (try again)
>
> Trying 1.2.3.4 ...
> telnet: connect to address 1.2.3.4: No route to host
>
> >>> Blocked (packet rejected) just as expected after removing snort
> NFQUEUE rule
>
> 6) Add rule again with one additional DROP rule for port 25
>
> iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
> iptables -I INPUT 2 -p tcp -i ppp1 --dport 25 -j DROP
>
> a) iptables -nvL INPUT
>
>  pkts bytes target     prot opt in     out     source
> destination
>    29  3660 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0
> 0.0.0.0/0            NFQUEUE num 0
>     0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:25
>
> Now try to connect again:
>
> telnet 1.2.3.4 25
> Trying 1.2.3.4...
> Connected to XXXXX.
> Escape character is '^]'.
> 220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:32:17 +0530
>
> >>> WHAT?!! Started accepting connection again!!!!
>
> b) iptables -nvL INPUT
>
>   pkts bytes target     prot opt in     out     source
> destination
>    72  7982 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0
> 0.0.0.0/0            NFQUEUE num 0
>     0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:25
>
> >>> Notice that DROP counter has not increased at all, which means
> Snort/NFQUEUE is ALLOWING the packet instead of proceeding to next rule
> (which is DROP rule)
>
> c) Port Scan
>
>  nmap -n 1.2.3.4
>
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Interesting ports on  (1.2.3.4):
> (The 1590 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 80/tcp     open        http
> 111/tcp    open        sunrpc
> 135/tcp    filtered    loc-srv
> 137/tcp    filtered    netbios-ns
> 139/tcp    filtered    netbios-ssn
> 443/tcp    open        https
> 445/tcp    filtered    microsoft-ds
> 3128/tcp   open        squid-http
>
> >>> EVERYTHING is OPEN!!!
>
> d) Delete NFQUEUE rule and try to connect again:
>
> iptables -D INPUT -p tcp -i ppp1  -j NFQUEUE
>
> telnet 1.2.3.4 25
>  Trying 1.2.3.4...
>
> Nothing happens due to DROP rule (as expected)
>
>
> d) iptables -nvL INPUT (check packet COUNTER)
>
>  pkts bytes target     prot opt in     out     source
> destination
>     2   120 DROP       tcp  --  ppp1   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:25
>
> >>> DROP Counter increased once the NFQUEUE rule is deleted
>
>
>
> So inshort NFQUEUE or Snort is ALLOWING the packet directly instead of
> letting it pass to next iptables rule.
>
> Is there something I missed or there is really something wrong with
> SNORT/NFQUEUE?
>
>
> Please correct me.
>
> Thank you,
>
>
> Amm
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120330/b7eadfc8/attachment.html>


More information about the Snort-users mailing list