[Snort-users] Snort with NFQUEUE allows everything (even unopened ports)

Amm Snort ammdispose-snort at ...131...
Fri Mar 30 23:47:00 EDT 2012


"config daq_mode: inline" implies -Q, doesnt it?


Log shows "nfq DAQ configured to inline."
With as well as without -Q


Snort shows "hydra" alert is proof enough that inline mode is working.


But, anyway, I tried with -Q as well .... same result.. packet does not reach DROP rule and gets ACCEPTed.


Converted "alert" rule to "drop" but same result, PORT still becomes OPEN inspite of iptables DROP following iptables NFQUEUE rule.

(ofcourse typing "EHLO hydra" drops that packet as expected but my point is I was able to establish connection to port 25 which should not have happened at first place)


Also conversion of "alert" rule to "drop" is not a solution, because I may not want to drop everything, sometimes I may just want an alert to be logged.

I am on kernel 3.3 by the way (latest Fedora update), in case it helps in identifying the problem.

Thank you,
 

Amish


>________________________________
> From: Russ Combs <rcombs at ...1935...>
>To: Amm Snort <ammdispose-snort at ...131...> 
>Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net> 
>Sent: Saturday, 31 March 2012 12:18 AM
>Subject: Re: [Snort-users] Snort with NFQUEUE allows everything (even unopened ports)
> 
>
>Try using a drop rule instead of alert.  And the DAQ mode and Snort mode aren't the same thing.  Try adding -Q too.
>
>
>On Fri, Mar 30, 2012 at 2:29 PM, Amm Snort <ammdispose-snort at ...131...> wrote:
>
>Hello all,
>>
>>
>>
>>I have setup snort with DAQ NFQUEUE.
>>
>>
>>My problem is inspite of firewall rule to block all ports, system starts allowing ALL THE PORTS.
>>
>>
>>Without SNORT/NFQUEUE, blocking happens perfectly fine.
>>
>>
>>
>>So either I am making a STUPID mistake (I hope so) otherwise there is a serious SECURITY issue.
>>
>>
>>
>>System:
>>Fedora 16 (64 bit)
>>Snort version 2.9.2.2 (compiled from src rpm at http://www.snort.org/snort-downloads)
>>
>>Daq version 0.6.2 (compiled from src rpm at http://www.snort.org/snort-downloads with NFQ enabled)
>>
>>
>>
>>snort.conf summary:
>>
>>
>>
>>#monitor connection to LAN and DSL IP (dynamic)
>>
>>ipvar HOME_NET [192.168.1.0/24,1.2.0.0/16]
>>
>>
>>
>>config daq: nfq
>>config daq_mode: inline
>>config daq_dir: /usr/lib64/daq
>>
>>
>>
>>Command line:
>>
>>
>>
>>snort  -A fast -b -d -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
>>
>>
>>(no interface specified, -Q not needed as config daq_mode set to inline)
>>
>>
>>
>>Rule File: (just one rule for testing)
>>
>>
>>
>>alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP 
Hydra Activity Detected"; flow:to_server,established; content:"hydra"; 
nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; 
reference:url,www.thc.org/releases.php; classtype:misc-attack; 
sid:100000167; rev:1;)
>>
>>
>>IPTABLES:
>>
>>
>>iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
>>iptables -I OUTPUT 1 -p tcp -o ppp1 -j NFQUEUE
>>
>>
>>
>>(rule triggers alert on sending "EHLO hydra" - hence setup seems to be running fine)
>>
>>
>>
>>
>>
>>Now THE SERIOUS PROBLEM:
>>
>>
>>As shown below, my iptables INPUT chain allows connection ONLY on port 22.
>>
>>
>>1) iptables -nvL INPUT (on snort system)
>>
>>
>>
>>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>> pkts bytes target     prot opt in     out     source               destination         
>>  274  146K NFQUEUE    tcp  --  ppp1  
 *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
>>    0     0 ACCEPT     tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
>>17344  816K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
>>
>>
>>
>>2) telnet 1.2.3.4 25 (from some remote machine)
>>
>>
>>
>>Trying to connect to port 25 of SNORT machine from some remote machine.
>>
>>
>>
>>Trying 1.2.3.4...
>>Connected to XXXXX.
>>Escape character is '^]'.
>>220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:17:42 +0530
>> >>>> How did it connect to port 25???
>>ehlo hydra....
>>
>>3) tail -1 /var/log/snort/alert
>>
>>03/30-23:17:46.056165  [**] [1:100000167:1] GPL SMTP SMTP Hydra Activity Detected [**] [Classification: Misc Attack] [Priority: 2] {TCP} 2.2.2.2:35256 -> 1.2.3.4:25
>>
>>(which means snort detected the hydra activity as expected)
>>
>>
>>4) iptables -D INPUT 1 -p tcp -i ppp1 -j NFQUEUE
>>
>>
>>Delete the NFQUEUE rule. i.e. disable SNORT inspection
>>
>>
>>
>>5) telnet 1.2.3.4 25 (try again)
>>
>>
>>
>>Trying 1.2.3.4 ...
>>telnet: connect to address 1.2.3.4: No route to host
>>
>>
>>
>>>>> Blocked (packet rejected) just as expected after removing snort NFQUEUE rule
>>
>>
>>6) Add rule again with one additional DROP rule for port 25
>>iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
>>iptables -I INPUT 2 -p tcp -i ppp1 --dport 25 -j DROP
>>
>>
>>
>>a) iptables -nvL INPUT
>>
>>
>>
>> pkts bytes target     prot opt in     out     source               destination         
>>   29  3660 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
>>    0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
>>
>>
>>
>>Now try to connect again:
>>
>>
>>telnet 1.2.3.4 25
>>
>>Trying 1.2.3.4...
>>Connected to XXXXX.
>>Escape character is '^]'.
>>220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:32:17 +0530
>>
>>
>>
>>>>> WHAT?!! Started accepting connection again!!!!
>>
>>
>>
>>b) iptables -nvL INPUT
>>
>>
>>
>> pkts bytes target     prot opt in     out     source               destination         
>>   72  7982 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
>>    0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
>>
>>
>>>>> Notice that DROP counter has not increased at all, which means Snort/NFQUEUE is ALLOWING the packet instead of proceeding to next rule (which is DROP rule)
>>
>>
>>
>>c) Port Scan
>>
>>
>>nmap -n 1.2.3.4
>>
>>Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
>>Interesting ports on  (1.2.3.4):
>>(The 1590 ports scanned but not shown below are in state: closed)
>>Port       State       Service
>>22/tcp     open        ssh                     
>>25/tcp     open        smtp                    
>>80/tcp     open        http                    
>>111/tcp   
 open        sunrpc                  
>>135/tcp    filtered    loc-srv                 
>>137/tcp    filtered    netbios-ns              
>>139/tcp    filtered    netbios-ssn             
>>443/tcp    open        https                   
>>445/tcp    filtered    microsoft-ds            
>>3128/tcp  
 open        squid-http
>>
>>
>>
>>>>> EVERYTHING is OPEN!!! 
>>
>>
>>d) Delete NFQUEUE rule and try to connect again:
>>
>>
>>
>>iptables -D INPUT -p tcp -i ppp1  -j NFQUEUE
>>
>>
>>telnet 1.2.3.4 25
>>
>>Trying 1.2.3.4...
>>
>>
>>Nothing happens due to DROP rule (as expected)
>>
>>
>>
>>
>>d) iptables -nvL INPUT (check packet COUNTER)
>>
>>
>> pkts bytes target     prot opt in     out     source               destination         
>>    2   120 DROP       tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
>>
>>
>>
>>>>> DROP Counter increased once the NFQUEUE rule is deleted
>>
>>
>>
>>
>>
>>
>>
>>So inshort NFQUEUE or Snort is ALLOWING the packet directly instead of letting it pass to next iptables rule.
>>
>>
>>
>>Is there something I missed or there is really something wrong with SNORT/NFQUEUE?
>>
>>
>>
>>
>>
>>Please correct me.
>>
>>
>>Thank you,
>>
>>
>>
>>
>>Amm
>>------------------------------------------------------------------------------
>>This SF email is sponsosred by:
>>Try Windows Azure free for 90 days Click Here
>>http://p.sf.net/sfu/sfd2d-msazure
>>_______________________________________________
>>Snort-users mailing list
>>Snort-users at lists.sourceforge.net
>>Go to this URL to change user options or unsubscribe:
>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>Snort-users list archive:
>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120331/37af3cc2/attachment.html>


More information about the Snort-users mailing list