[Snort-users] Snort inline with Squid

James Lay jlay at ...13475...
Fri Apr 24 11:53:23 EDT 2015


On 2015-04-24 07:06 AM, Robert Lasota wrote:
> Dnia Piątek, 24 Kwietnia 2015 13:58 James Lay
> <jlay at ...13475...> napisał(a)
> 
>> On Fri, 2015-04-24 at 09:33 +0200, Robert Lasota wrote:
>> 
>>> Hi,
>>> 
>>> Well, I have problem with running this both apps together on
>>> router. Snort (as IPS) inline gets traffic from iptables (QUEUE
>>> option), and Squid transparent also (from PREROUTING), and it
>>> turned out there is problem to rinning both in that case. I tried
>>> these combinations of iptables:
>>> 
>>> # for Snort
>>> 
>>> $iptables -I FORWARD -p tcp --dport 80 -j QUEUE
>>> 
>>> # for Squid
>>> $iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>> 
>>> $iptables -I FORWARD -p tcp --dport 80 -j QUEUE
>>> $iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>> 
>>> $iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
>>> $iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
>>> --to-port 3128
>>> 
>>> .. and nothing. In all cases or Squid doesn't work or Snort.
>>> 
>>> Does somebody have any idea how to solve this difficult case ? I
>>> would be appreciated.
>>> 
>>> Robert
>> Two interfaces? One internal net, one external net?
>> 
>> James
> 
> Yes, there are 2 nics, one for internet and one for LAN.
> 
> Robert

So my setup is I have transparent proxy that's listening on eth0 
(192.168.bleh) that forwards out ppp0 (external IP).  This takes 
internal clients and transparently proxies them.  If that's your setup, 
here's how I would do it.

Start snort:
sudo snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1 -c 
snort.conf

Snort iptables first:

$iptables -t mangle -I FORWARD -i eth0 -p tcp --dport 80 -j NFQUEUE 
--queue-num 1
$iptables -t mangle -I OUTPUT -i eth0 -p tcp --dport 80 -j NFQUEUE 
--queue-num 1


Now for Squid
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT 
--to-port 3128

This should get you what you need, however keep in mind that snort will 
need to be started first, and because you're sending ONLY port 80 to the 
NFQUEUE, that's all snort will see as that's all that's going to the 
queue.  Lastly, you'll need to modify your rules that you want do drop 
traffic to reflect drop instead of alert...you'll get an alert in your 
unified (if you're doing that) or fast file (if you're doing that as 
well) either way with drop or alert, but drop will actively drop the 
connection.  Check the link below for more info:

http://www.iptables.info/en/structure-of-iptables.html#MANGLETABLE < 
scroll up to get a nifty diagram.

Hope that helps.

James




More information about the Snort-users mailing list