[Snort-users] trouble with online mode

Sec_Aficionado secaficionado at ...11827...
Mon Dec 15 09:46:57 EST 2014


I really appreciate you taking the time to explore and tinker with this stuff. I will try to replicate your setup first and then try to modify it to get to where I need my machines to be.

This is quite a learning experience.

Cheers!

Sent from my mobile
Any weird stuff in the message above is autocorrect's fault

> On Dec 14, 2014, at 2:48 PM, James Lay <jlay at ...13475...> wrote:
> 
> 
> 
>> On Sat, 2014-12-13 at 16:02 -0500, Sec_Aficionado wrote: 
>> 
>> ---- quoted message follows ----
>> Ah....yea that's the issue. With --daq-mode inline snort will create it's own bridge (that you have no control over). This type of deployment works really well as having snort on it's own machine inline such as: (Internet) <-> (SnortIPS) <-> (LinuxRouter) <-> (Switch) I think you and I were in the same boat where we had a linux router that we wanted to put IPS on. You can use the nfq daq functionality like so:
>> 
>> 
>> snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /usr/local/etc/snort/snort.conf /sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 or /sbin/iptables -I INPUT -j NFQUEUE --queue-num 1 
>> 
>> 
>> But I'm going to be honest...I never got nfq to work well. There's a thread on the list that talks heavily about this, but in a nutshell as soon as a packet hits the snort queue, it is either dropped as an IPS hit, or accepted and sent along, which means any iptables rules AFTER the snort queue rule are not referenced, so be warned and make sure to nmap the external IP after you make the changes. It really seems like the IPS functionality is more suited for the IPS on it's own dedicated machine and not integrated into a router. My two cents :) James
>> 
>> 
>> ---- end of quoted message ---- 
>> 
>> 
>> James,
>> 
>> 
>> I wonder if you ever got this setup to work. I found the following suggestions in a suricata configuration guide. They use FORWARD instead of INPUT. I have to do some reading before I test this but I'd like to know if you have any advice.
>> 
>> 
>> I would really like to get snort to work as an IPS in a firewall/router box, rather than in a separate machine.
>> 
>> 
>> Thanks!
>> 
>> 
>> The following is an excerpt from: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
>> 
>> 
>> There is also a way to use iptables with multiple networks (and interface cards). Example:
>> 
>> 
>> sudo iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE
>> sudo iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE
>> 
>> The options -i (input) -o (output) can be combined with all previous mentioned options
>> 
>> If you would stop Suricata and use internet, the traffic will not come through. To make internet work correctly, you have to erase all iptable rules.
>> 
>> 
>> Sent from my mobile
>> Any weird stuff is autocorrect's fault
> 
> HI Again,
> 
> So...after spending about four hours on this, I think I have actually got this to work as expected.  Keep in mind this is JUST on the FORWARD table, and was tested on a bridged instance, but I'm betting this will work just fine on a routed instance as well.  In a nutshell, the secret is mangle in the FORWARD table.  My test setup was a server, 192.168.1.171, connected via crossover cable to another linux machine with two NICs, and bridging the NICs.  The last bit is my attacking machine, 192.168.1.70.  Setup below:
> 
> sudo snort -Q -A console --daq nfq --daq-var device=br0 --daq-var queue=1 -c /opt/etc/snort/snort.conf -k none
> 
> rule:
> drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get"; content:"index"; http_uri; sid:1000003; rev:1;)
> 
> #!/bin/bash
> IPTABLES=/sbin/iptables
> INTIF="eth1"
> BRIF="br0"
> EXTIF="eth0"
> 
> You can change the default  FORWARD from ACCEPT to drop like so, -P FORWARD DROP, but I wasn't able to get firewall logs doing that, so instead I set to ACCEPT, then add the log and drop below:
> $IPTABLES -F
> $IPTABLES -F -t raw
> $IPTABLES -F -t mangle
> $IPTABLES -F -t nat
> $IPTABLES -F -t filter
> $IPTABLES -X
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -F FORWARD
> $IPTABLES -t mangle -A FORWARD -j NFQUEUE --queue-num 1
> $IPTABLES -A FORWARD -d 192.168.1.171 -p tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -i br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -i br0 -m conntrack --ctstate NEW -d 192.168.1.171 -j LOG
> $IPTABLES -A FORWARD -i br0 -m conntrack --ctstate NEW -d 192.168.1.171 -j DROP
> 
> And the results..first listening ports:
> [09:34:44 powerbook:~$ sudo netstat -lpn
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
> tcp        0      0 0.0.0.0:901             0.0.0.0:*               LISTEN      2447/inetd      
> tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      2556/smbd       
> tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1718/rpcbind    
> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2909/sshd       
> tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      2825/master     
> tcp        0      0 0.0.0.0:56187           0.0.0.0:*               LISTEN      1755/rpc.statd  
> tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      2556/smbd       
> tcp6       0      0 :::139                  :::*                    LISTEN      2556/smbd       
> tcp6       0      0 :::111                  :::*                    LISTEN      1718/rpcbind    
> tcp6       0      0 :::80                   :::*                    LISTEN      2168/apache2    
> tcp6       0      0 :::48402                :::*                    LISTEN      1755/rpc.statd  
> tcp6       0      0 :::22                   :::*                    LISTEN      2909/sshd       
> tcp6       0      0 :::25                   :::*                    LISTEN      2825/master     
> tcp6       0      0 :::445                  :::*                    LISTEN      2556/smbd       
> 
> Nmap results:
> Nmap scan report for 192.168.1.171
> Host is up (0.00051s latency).
> Not shown: 998 filtered ports
> PORT   STATE SERVICE
> 80/tcp open  http
> 
> Snort results:
> root at ...11994...:~# wget http://192.168.1.171/index.html
> --2014-12-14 02:36:11--  http://192.168.1.171/index.html
> Connecting to 192.168.1.171:80... connected.
> HTTP request sent, awaiting response... 
> 
> 12/14-09:36:12.712270  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 192.168.1.70:59301 -> 192.168.1.171:80
> 
> root at ...11994...:~# wget http://192.168.1.171/other.html
> --2014-12-14 02:36:48--  http://192.168.1.171/other.html
> Connecting to 192.168.1.171:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 177 [text/html]
> Saving to: `other.html.5'
> 
> 100%[============================================================>] 177         --.-K/s   in 0s      
> 
> 2014-12-14 02:36:48 (12.0 MB/s) - `other.html' saved [177/177]
> 
> Give that a go.
> 
> James
> 
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141215/6b5e98d2/attachment.html>


More information about the Snort-users mailing list