[Snort-users] What to do?

Ellad G. Yatsko eyatsko at ...16592...
Thu Nov 21 04:27:21 EST 2013


Hello!

We have Ubuntu Server 12.04.1 LTS with snort 2.9.2 - both installed from 
scratch. Snort 2.9.2 distribution is native for this Ubuntu Release.

~# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
~#

Snort config and rule set both are default they come with distribution 
(apt-get install ...)

IPTables has its default configuration:
~# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
~# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
~#
I tried to put some traffic into QUEUE by command like: iptables -A 
INPUT -p udp -j QUQUE, but it has no effect relative to my main problem. 
I found just few cases in Internet when Snort have been started in 
inline mode. And they do not abound in examples how to set up IPTables 
in conjunction to Snort... :-( And, moreover, all of them differ 
depending on Snort version.


After starting Snort via command-line:
~# snort -Q -vv -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf


Snort received some tens of packets (mainly my SSH session to server 
with Snort), both interfaces eth0 and eth1 become unavailable from 
outside (i. e. from ipvar EXTERNAL_NET !$HOME_NET  ), but I still can  
ping them from server's console. Go further. When I tried to ping 
something out the server's interfaces this also has no result. Nothing 
is accessible via monitored interfaces.

When I break the program execution interfaces from outside and external 
destinations from inside continue to be inaccessible for some time 
(several minutes).

Now I have two more or less clear dilemmas:
- how to start Snort in inline mode and to avoid it hang up (main problem);
- how to set up IPTables if it needed to daq.

Future plan relative to Snort  supposes to analyze and drop excessive 
SIP-traffic ONLY (methods: REGISTER and INVITE) from certain IPs. For 
example if there are many registrations per second (per ten of seconds - 
no matter). Such traffic patter must be "isolated" from SIP-registrar. 
And the same history is for INVITES. Ideally, it would be perfect if 
Snort can add rules to IPTables to block "rougue traffic" permanently! 
:-) As a rule (by my own observations) "bad guys" sit always at the same 
IP addresses.

Please, help... :-)

Kind regards,
Ellad Yatsko




More information about the Snort-users mailing list