[Snort-users] Snort with NFQUEUE allows everything (even unopened ports)

Amm Snort ammdispose-snort at ...131...
Sat Mar 31 07:46:57 EDT 2012


Further to dig in to this, I  downloaded a nfq test sample code found at:
http://netfilter.org/projects/libnetfilter_queue/doxygen/nfqnl__test_8c_source.html

Which simply runs queue 0 and prints info about packets captured on that queue.


I compiled it and ran it.

First iptable rule
iptables -I INPUT -i ppp1 -j DROP # drop everything

>>> telnet to port 25 from remote host does not work as expected


Now add NFQUEUE

iptables -I INPUT -i ppp1 -j NFQUEUE # add a queue


>>> To my surprise, even this TEST program OPENED ALL THE PORTS.

Even portscan shows port 22, 80, 3128 all open.




I wonder if there is bug in libnetfilter_queue (of kernel 3.3)??

Is it considering VERDICT OF ACCEPT as iptables ACCEPT?


Or AM I REALLY MISSING SOMETHING?


Amm



>________________________________
> From: Amm Snort <ammdispose-snort at ...131...>
>To: Russ Combs <rcombs at ...1935...> 
>Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net> 
>Sent: Saturday, 31 March 2012 9:17 AM
>Subject: Re: [Snort-users] Snort with NFQUEUE allows everything (even unopened ports)
> 
>
>"config daq_mode: inline" implies -Q, doesnt it?
>
>
>
>Log shows "nfq DAQ configured to inline."
>With as well as without -Q
>
>
>
>Snort shows "hydra" alert is proof enough that inline mode is working.
>
>
>
>But, anyway, I tried with -Q as well .... same result.. packet does not reach DROP rule and gets ACCEPTed.
>
>
>
>
>Converted "alert" rule to "drop" but same result, PORT still becomes OPEN inspite of iptables DROP following iptables NFQUEUE rule.
>
>
>(ofcourse typing "EHLO hydra" drops that packet as expected but my point is I was able to establish connection to port 25 which should not have happened at first place)
>
>
>
>Also conversion of "alert" rule to "drop" is not a solution, because I may not want to drop everything, sometimes I may just want an alert to be logged.
>
>
>I am on kernel 3.3 by the way (latest Fedora update), in case it helps in identifying the problem.
>
>Thank you,
> 
>
>Amm
>
>
>>________________________________
>> From: Russ Combs <rcombs at ...1935...>
>>To: Amm Snort <ammdispose-snort at ...131...> 
>>Cc: "snort-users at lists.sourceforge.net" <snort-users at ...3893...t> 
>>Sent: Saturday, 31 March 2012 12:18 AM
>>Subject: Re: [Snort-users] Snort with NFQUEUE allows everything (even unopened ports)
>> 
>>
>>Try using a drop rule instead of alert.  And the DAQ mode and Snort mode aren't the same thing.  Try adding -Q too.
>>
>>
>>On Fri, Mar 30, 2012 at 2:29 PM, Amm Snort <ammdispose-snort at ...131...> wrote:
>>
>>Hello all,
>>>
>>>
>>>
>>>I have setup snort with DAQ NFQUEUE.
>>>
>>>
>>>My problem is inspite of firewall rule to block all ports, system starts allowing ALL THE PORTS.
>>>
>>>
>>>Without SNORT/NFQUEUE, blocking happens perfectly fine.
>>>
>>>
>>>
>>>So either I am making a STUPID mistake (I hope so) otherwise there is a serious SECURITY issue.
>>>
>>>
>>>
>>>System:
>>>Fedora 16 (64 bit)
>>>Snort version 2.9.2.2 (compiled from src rpm at http://www.snort.org/snort-downloads)
>>>
>>>Daq version 0.6.2 (compiled from src rpm at http://www.snort.org/snort-downloads with NFQ enabled)
>>>
>>>
>>>
>>>snort.conf summary:
>>>
>>>
>>>
>>>#monitor connection to LAN and DSL IP (dynamic)
>>>
>>>ipvar HOME_NET [192.168.1.0/24,1.2.0.0/16]
>>>
>>>
>>>
>>>config daq: nfq
>>>config daq_mode: inline
>>>config daq_dir: /usr/lib64/daq
>>>
>>>
>>>
>>>Command line:
>>>
>>>
>>>
>>>snort  -A fast -b -d -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
>>>
>>>
>>>(no interface specified, -Q not needed as config daq_mode set to inline)
>>>
>>>
>>>
>>>Rule File: (just one rule for testing)
>>>
>>>
>>>
>>>alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP 
Hydra Activity Detected"; flow:to_server,established; content:"hydra"; 
nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; 
reference:url,www.thc.org/releases.php; classtype:misc-attack; 
sid:100000167; rev:1;)
>>>
>>>
>>>IPTABLES:
>>>
>>>
>>>iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
>>>iptables -I OUTPUT 1 -p tcp -o ppp1 -j NFQUEUE
>>>
>>>
>>>
>>>(rule triggers alert on sending "EHLO hydra" - hence setup seems to be running fine)
>>>
>>>
>>>
>>>
>>>
>>>Now THE SERIOUS PROBLEM:
>>>
>>>
>>>As shown below, my iptables INPUT chain allows connection ONLY on port 22.
>>>
>>>
>>>1) iptables -nvL INPUT (on snort system)
>>>
>>>
>>>
>>>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>>> pkts bytes target     prot opt in     out     source               destination         
>>>  274  146K NFQUEUE    tcp  --  ppp1  
 *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
>>>    0     0 ACCEPT     tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
>>>17344  816K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
>>>
>>>
>>>
>>>2) telnet 1.2.3.4 25 (from some remote machine)
>>>
>>>
>>>
>>>Trying to connect to port 25 of SNORT machine from some remote machine.
>>>
>>>
>>>
>>>Trying 1.2.3.4...
>>>Connected to XXXXX.
>>>Escape character is '^]'.
>>>220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:17:42 +0530
>>> >>>> How did it connect to port 25???
>>>ehlo hydra....
>>>
>>>3) tail -1 /var/log/snort/alert
>>>
>>>03/30-23:17:46.056165  [**] [1:100000167:1] GPL SMTP SMTP Hydra Activity Detected [**] [Classification: Misc Attack] [Priority: 2] {TCP} 2.2.2.2:35256 -> 1.2.3.4:25
>>>
>>>(which means snort detected the hydra activity as expected)
>>>
>>>
>>>4) iptables -D INPUT 1 -p tcp -i ppp1 -j NFQUEUE
>>>
>>>
>>>Delete the NFQUEUE rule. i.e. disable SNORT inspection
>>>
>>>
>>>
>>>5) telnet 1.2.3.4 25 (try again)
>>>
>>>
>>>
>>>Trying 1.2.3.4 ...
>>>telnet: connect to address 1.2.3.4: No route to host
>>>
>>>
>>>
>>>>>> Blocked (packet rejected) just as expected after removing snort NFQUEUE rule
>>>
>>>
>>>6) Add rule again with one additional DROP rule for port 25
>>>iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
>>>iptables -I INPUT 2 -p tcp -i ppp1 --dport 25 -j DROP
>>>
>>>
>>>
>>>a) iptables -nvL INPUT
>>>
>>>
>>>
>>> pkts bytes target     prot opt in     out     source               destination         
>>>   29  3660 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
>>>    0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
>>>
>>>
>>>
>>>Now try to connect again:
>>>
>>>
>>>telnet 1.2.3.4 25
>>>
>>>Trying 1.2.3.4...
>>>Connected to XXXXX.
>>>Escape character is '^]'.
>>>220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:32:17 +0530
>>>
>>>
>>>
>>>>>> WHAT?!! Started accepting connection again!!!!
>>>
>>>
>>>
>>>b) iptables -nvL INPUT
>>>
>>>
>>>
>>> pkts bytes target     prot opt in     out     source               destination         
>>>   72  7982 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
>>>    0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
>>>
>>>
>>>>>> Notice that DROP counter has not increased at all, which means Snort/NFQUEUE is ALLOWING the packet instead of proceeding to next rule (which is DROP rule)
>>>
>>>
>>>
>>>c) Port Scan
>>>
>>>
>>>nmap -n 1.2.3.4
>>>
>>>Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
>>>Interesting ports on  (1.2.3.4):
>>>(The 1590 ports scanned but not shown below are in state: closed)
>>>Port       State       Service
>>>22/tcp     open        ssh                     
>>>25/tcp     open        smtp                    
>>>80/tcp     open        http                    
>>>111/tcp   
 open        sunrpc                  
>>>135/tcp    filtered    loc-srv                 
>>>137/tcp    filtered    netbios-ns              
>>>139/tcp    filtered    netbios-ssn             
>>>443/tcp    open        https                   
>>>445/tcp    filtered    microsoft-ds            
>>>3128/tcp  
 open        squid-http
>>>
>>>
>>>
>>>>>> EVERYTHING is OPEN!!! 
>>>
>>>
>>>d) Delete NFQUEUE rule and try to connect again:
>>>
>>>
>>>
>>>iptables -D INPUT -p tcp -i ppp1  -j NFQUEUE
>>>
>>>
>>>telnet 1.2.3.4 25
>>>
>>>Trying 1.2.3.4...
>>>
>>>
>>>Nothing happens due to DROP rule (as expected)
>>>
>>>
>>>
>>>
>>>d) iptables -nvL INPUT (check packet COUNTER)
>>>
>>>
>>> pkts bytes target     prot opt in     out     source               destination         
>>>    2   120 DROP       tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
>>>
>>>
>>>
>>>>>> DROP Counter increased once the NFQUEUE rule is deleted
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>So inshort NFQUEUE or Snort is ALLOWING the packet directly instead of letting it pass to next iptables rule.
>>>
>>>
>>>
>>>Is there something I missed or there is really something wrong with SNORT/NFQUEUE?
>>>
>>>
>>>
>>>
>>>
>>>Please correct me.
>>>
>>>
>>>Thank you,
>>>
>>>
>>>
>>>
>>>Amm
>>>------------------------------------------------------------------------------
>>>This SF email is sponsosred by:
>>>Try Windows Azure free for 90 days Click Here
>>>http://p.sf.net/sfu/sfd2d-msazure
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120331/d18c0ff6/attachment.html>


More information about the Snort-users mailing list