[Snort-users] trouble with online mode

James Lay jlay at ...13475...
Sun Dec 14 14:48:12 EST 2014

On Sat, 2014-12-13 at 16:02 -0500, Sec_Aficionado wrote: 

> ---- quoted message follows ----
> Ah....yea that's the issue. With --daq-mode inline snort will create
> it's own bridge (that you have no control over). This type of
> deployment works really well as having snort on it's own machine
> inline such as: (Internet) <-> (SnortIPS) <-> (LinuxRouter) <->
> (Switch) I think you and I were in the same boat where we had a linux
> router that we wanted to put IPS on. You can use the nfq daq
> functionality like so:
> snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1
> -c /usr/local/etc/snort/snort.conf /sbin/iptables -t nat -I PREROUTING
> -j NFQUEUE --queue-num 1 or /sbin/iptables -I INPUT -j NFQUEUE
> --queue-num 1 
> But I'm going to be honest...I never got nfq to work well. There's a
> thread on the list that talks heavily about this, but in a nutshell as
> soon as a packet hits the snort queue, it is either dropped as an IPS
> hit, or accepted and sent along, which means any iptables rules AFTER
> the snort queue rule are not referenced, so be warned and make sure to
> nmap the external IP after you make the changes. It really seems like
> the IPS functionality is more suited for the IPS on it's own dedicated
> machine and not integrated into a router. My two cents :) James
> ---- end of quoted message ---- 
> James,
> I wonder if you ever got this setup to work. I found the following
> suggestions in a suricata configuration guide. They use FORWARD
> instead of INPUT. I have to do some reading before I test this but I'd
> like to know if you have any advice.
> I would really like to get snort to work as an IPS in a
> firewall/router box, rather than in a separate machine.
> Thanks!
> The following is an excerpt
> from: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
> There is also a way to use iptables with multiple networks (and
> interface cards). Example:
> sudo iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE
> sudo iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE
> The options -i (input) -o (output) can be combined with all previous
> mentioned options
> If you would stop Suricata and use internet, the traffic will not come
> through. To make internet work correctly, you have to erase all
> iptable rules.
> Sent from my mobile
> Any weird stuff is autocorrect's fault

HI Again,

So...after spending about four hours on this, I think I have actually
got this to work as expected.  Keep in mind this is JUST on the FORWARD
table, and was tested on a bridged instance, but I'm betting this will
work just fine on a routed instance as well.  In a nutshell, the secret
is mangle in the FORWARD table.  My test setup was a server,, connected via crossover cable to another linux machine
with two NICs, and bridging the NICs.  The last bit is my attacking
machine,  Setup below:

sudo snort -Q -A console --daq nfq --daq-var device=br0 --daq-var
queue=1 -c /opt/etc/snort/snort.conf -k none

drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
content:"index"; http_uri; sid:1000003; rev:1;)


You can change the default  FORWARD from ACCEPT to drop like so, -P
FORWARD DROP, but I wasn't able to get firewall logs doing that, so
instead I set to ACCEPT, then add the log and drop below:
$IPTABLES -F -t raw
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -F -t filter
$IPTABLES -t mangle -A FORWARD -j NFQUEUE --queue-num 1
$IPTABLES -A FORWARD -d -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i br0 -m conntrack --ctstate RELATED,ESTABLISHED
$IPTABLES -A FORWARD -i br0 -m conntrack --ctstate NEW -d
-j LOG
$IPTABLES -A FORWARD -i br0 -m conntrack --ctstate NEW -d

And the results..first listening ports:
[09:34:44 powerbook:~$ sudo netstat -lpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address
State       PID/Program name
tcp        0      0   *
LISTEN      2447/inetd      
tcp        0      0   *
LISTEN      2556/smbd       
tcp        0      0   *
LISTEN      1718/rpcbind    
tcp        0      0    *
LISTEN      2909/sshd       
tcp        0      0    *
LISTEN      2825/master     
tcp        0      0 *
LISTEN      1755/rpc.statd  
tcp        0      0   *
LISTEN      2556/smbd       
tcp6       0      0 :::139                  :::*
LISTEN      2556/smbd       
tcp6       0      0 :::111                  :::*
LISTEN      1718/rpcbind    
tcp6       0      0 :::80                   :::*
LISTEN      2168/apache2    
tcp6       0      0 :::48402                :::*
LISTEN      1755/rpc.statd  
tcp6       0      0 :::22                   :::*
LISTEN      2909/sshd       
tcp6       0      0 :::25                   :::*
LISTEN      2825/master     
tcp6       0      0 :::445                  :::*
LISTEN      2556/smbd       

Nmap results:
Nmap scan report for
Host is up (0.00051s latency).
Not shown: 998 filtered ports
80/tcp open  http

Snort results:
root at ...11994...:~# wget
--2014-12-14 02:36:11--
Connecting to connected.
HTTP request sent, awaiting response... 

12/14-09:36:12.712270  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} ->

root at ...11994...:~# wget
--2014-12-14 02:36:48--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 177 [text/html]
Saving to: `other.html.5'

100%[============================================================>] 177
--.-K/s   in 0s      

2014-12-14 02:36:48 (12.0 MB/s) - `other.html' saved [177/177]

Give that a go.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141214/51172b3b/attachment.html>

More information about the Snort-users mailing list