[Snort-users] What to do?

Ellad G. Yatsko eyatsko at ...16592...
Fri Nov 22 00:23:09 EST 2013


Hello guys!

I have checked something. I re-installed OS - changed it on Debian 7.2.0 
x86 (Ubuntu 12.04.1 was amd64) and Snort. Snort, again, is of version 
2.9.2 (if to be more accurate: 2.9.2.2).
All is much the same! It "hangs" interfaces after several tens of 
packets and until several minutes passed after Snort execution break down.

What could it be? I have already mentioned that I compiled Snort from 
sources. Afpacket behaves similarly.

Anybody help me!... :-)

Kind regards,
Ellad
> Hello!
>
> We have Ubuntu Server 12.04.1 LTS with snort 2.9.2 - both installed from
> scratch. Snort 2.9.2 distribution is native for this Ubuntu Release.
>
> ~# snort --daq-list
> Available DAQ modules:
> pcap(v3): readback live multi unpriv
> ipfw(v2): live inline multi unpriv
> dump(v1): readback live inline multi unpriv
> afpacket(v4): live inline multi unpriv
> ~#
>
> Snort config and rule set both are default they come with distribution
> (apt-get install ...)
>
> IPTables has its default configuration:
> ~# iptables -nL
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ~# iptables -t nat -nL
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> ~#
> I tried to put some traffic into QUEUE by command like: iptables -A
> INPUT -p udp -j QUQUE, but it has no effect relative to my main problem.
> I found just few cases in Internet when Snort have been started in
> inline mode. And they do not abound in examples how to set up IPTables
> in conjunction to Snort... :-( And, moreover, all of them differ
> depending on Snort version.
>
>
> After starting Snort via command-line:
> ~# snort -Q -vv -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf
>
>
> Snort received some tens of packets (mainly my SSH session to server
> with Snort), both interfaces eth0 and eth1 become unavailable from
> outside (i. e. from ipvar EXTERNAL_NET !$HOME_NET  ), but I still can
> ping them from server's console. Go further. When I tried to ping
> something out the server's interfaces this also has no result. Nothing
> is accessible via monitored interfaces.
>
> When I break the program execution interfaces from outside and external
> destinations from inside continue to be inaccessible for some time
> (several minutes).
>
> Now I have two more or less clear dilemmas:
> - how to start Snort in inline mode and to avoid it hang up (main problem);
> - how to set up IPTables if it needed to daq.
>
> Future plan relative to Snort  supposes to analyze and drop excessive
> SIP-traffic ONLY (methods: REGISTER and INVITE) from certain IPs. For
> example if there are many registrations per second (per ten of seconds -
> no matter). Such traffic patter must be "isolated" from SIP-registrar.
> And the same history is for INVITES. Ideally, it would be perfect if
> Snort can add rules to IPTables to block "rougue traffic" permanently!
> :-) As a rule (by my own observations) "bad guys" sit always at the same
> IP addresses.
>
> Please, help... :-)
>
> Kind regards,
> Ellad Yatsko
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>





More information about the Snort-users mailing list