[Snort-users] What to do?

Ellad G. Yatsko eyatsko at ...16592...
Fri Nov 22 07:22:05 EST 2013


I compiled again.. :-( To restore step-by-step procedure... :-( As usual 
afpacket hangs interfaces... :-(
Ubuntu 12.04.1 amd64 (under VMWare ESXi 5.2) is from scratch.

apt-get -y install build-essential libpcap0.8-dev libmysqlclient15-dev 
mysql-server libc6-dev g++ gcc pcregrep libpcre3-dev iptables-dev bison 
flex tshark

./configure "CFLAGS=-fPIC -g -O2"
make install

cd /usr/src/daq-2.0.1/
make install

cd /usr/src/snort-
./configure --enable-gre --enable-reload --enable-linux-smp-stats 
--enable-zlib --enable-active-response --enable-react --enable-flexresp3
make install

ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
ln -s /usr/local/lib/snort_dynamicpreprocessor 
ln -s /usr/local/lib/snort_dynamicengine /usr/lib/snort_dynamicengine

Then I got init.d script from neighbor Virtual Machine where I had done 
apt-get install snort a minute ago and /etc/snort folder with all its 

scp eyatsko at ...16594...:/etc/init.d/snort /etc/init.d/snort
scp -r eyatsko at ...16594...:/etc/snort /etc/
chown root:root /etc/init.d/snort
chown -R root:root /etc/snort

Then I updated /etc/snort/snort.conf:
. . .
# Setup the network addresses you are protecting
ipvar HOME_NET

# Set up the external network addresses. Leave as "any" in most situations
#ipvar EXTERNAL_NET any
. . .

...and started snort:
snort -Q -v -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf

It got three bootp packets and hangs interfaces.

As I can observe such behaviour of Snort does not depend on
- Snort Version;
- Operation system/OS version;
- The way through Snort is installed;
- Rule set (I commented all include $RULE_PATH/* lines except 
local.rules, which was empty).

What could explain this situation?

Kind regard,
Ellad Yatsko

> I have checked something. I re-installed OS - changed it on Debian 7.2.0
> x86 (Ubuntu 12.04.1 was amd64) and Snort. Snort, again, is of version
> 2.9.2 (if to be more accurate:
> All is much the same! It "hangs" interfaces after several tens of
> packets and until several minutes passed after Snort execution break down.
> What could it be? I have already mentioned that I compiled Snort from
> sources. Afpacket behaves similarly.
> Anybody help me!... :-)
>> We have Ubuntu Server 12.04.1 LTS with snort 2.9.2 - both installed from
>> scratch. Snort 2.9.2 distribution is native for this Ubuntu Release.
>> ~# snort --daq-list
>> Available DAQ modules:
>> pcap(v3): readback live multi unpriv
>> ipfw(v2): live inline multi unpriv
>> dump(v1): readback live inline multi unpriv
>> afpacket(v4): live inline multi unpriv
>> ~#
>> Snort config and rule set both are default they come with distribution
>> (apt-get install ...)
>> IPTables has its default configuration:
>> ~# iptables -nL
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>> ~# iptables -t nat -nL
>> Chain PREROUTING (policy ACCEPT)
>> target     prot opt source               destination
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>> Chain POSTROUTING (policy ACCEPT)
>> target     prot opt source               destination
>> ~#
>> I tried to put some traffic into QUEUE by command like: iptables -A
>> INPUT -p udp -j QUQUE, but it has no effect relative to my main problem.
>> I found just few cases in Internet when Snort have been started in
>> inline mode. And they do not abound in examples how to set up IPTables
>> in conjunction to Snort... :-( And, moreover, all of them differ
>> depending on Snort version.
>> After starting Snort via command-line:
>> ~# snort -Q -vv -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf
>> Snort received some tens of packets (mainly my SSH session to server
>> with Snort), both interfaces eth0 and eth1 become unavailable from
>> outside (i. e. from ipvar EXTERNAL_NET !$HOME_NET  ), but I still can
>> ping them from server's console. Go further. When I tried to ping
>> something out the server's interfaces this also has no result. Nothing
>> is accessible via monitored interfaces.
>> When I break the program execution interfaces from outside and external
>> destinations from inside continue to be inaccessible for some time
>> (several minutes).
>> Now I have two more or less clear dilemmas:
>> - how to start Snort in inline mode and to avoid it hang up (main problem);
>> - how to set up IPTables if it needed to daq.
>> Future plan relative to Snort  supposes to analyze and drop excessive
>> SIP-traffic ONLY (methods: REGISTER and INVITE) from certain IPs. For
>> example if there are many registrations per second (per ten of seconds -
>> no matter). Such traffic patter must be "isolated" from SIP-registrar.
>> And the same history is for INVITES. Ideally, it would be perfect if
>> Snort can add rules to IPTables to block "rougue traffic" permanently!
>> :-) As a rule (by my own observations) "bad guys" sit always at the same
>> IP addresses.
>> Please, help... :-)

More information about the Snort-users mailing list