[Snort-users] Odp: Re: Snort inline with Squid

James Lay jlay at ...13475...
Sun Apr 26 15:37:55 EDT 2015


On Sat, 2015-04-25 at 14:49 -0600, James Lay wrote:

> On Sat, 2015-04-25 at 14:58 +0200, Robert Lasota wrote:
> 
> > Dnia Piątek, 24 Kwietnia 2015 17:53 James Lay
> > <jlay at ...13475...> napisał(a)
> > 
> > 
> >         On 2015-04-24 07:06 AM, Robert Lasota wrote:
> >         
> >         > Dnia Piątek, 24 Kwietnia 2015 13:58 James Lay
> >         
> >         > <jlay at ...13475...> napisał(a)
> >         
> >         >
> >         
> >         >> On Fri, 2015-04-24 at 09:33 +0200, Robert Lasota wrote:
> >         
> >         >>
> >         
> >         >>> Hi,
> >         
> >         >>>
> >         
> >         >>> Well, I have problem with running this both apps
> >         together on
> >         
> >         >>> router. Snort (as IPS) inline gets traffic from iptables
> >         (QUEUE
> >         
> >         >>> option), and Squid transparent also (from PREROUTING),
> >         and it
> >         
> >         >>> turned out there is problem to rinning both in that
> >         case. I tried
> >         
> >         >>> these combinations of iptables:
> >         
> >         >>>
> >         
> >         >>> # for Snort
> >         
> >         >>>
> >         
> >         >>> $iptables -I FORWARD -p tcp --dport 80 -j QUEUE
> >         
> >         >>>
> >         
> >         >>> # for Squid
> >         
> >         >>> $iptables -t nat -A PREROUTING -p tcp --dport 80 -j
> >         REDIRECT
> >         
> >         >>> --to-port 3128
> >         
> >         >>>
> >         
> >         >>> $iptables -I FORWARD -p tcp --dport 80 -j QUEUE
> >         
> >         >>> $iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT
> >         
> >         >>> --to-port 3128
> >         
> >         >>>
> >         
> >         >>> $iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
> >         
> >         >>> $iptables -t nat -A PREROUTING -p tcp --dport 80 -j
> >         REDIRECT
> >         
> >         >>> --to-port 3128
> >         
> >         >>>
> >         
> >         >>> .. and nothing. In all cases or Squid doesn't work or
> >         Snort.
> >         
> >         >>>
> >         
> >         >>> Does somebody have any idea how to solve this difficult
> >         case ? I
> >         
> >         >>> would be appreciated.
> >         
> >         >>>
> >         
> >         >>> Robert
> >         
> >         >> Two interfaces? One internal net, one external net?
> >         
> >         >>
> >         
> >         >> James
> >         
> >         >
> >         
> >         > Yes, there are 2 nics, one for internet and one for LAN.
> >         
> >         >
> >         
> >         > Robert
> >         
> >         So my setup is I have transparent proxy that's listening on
> >         eth0
> >         
> >         (192.168.bleh) that forwards out ppp0 (external IP).  This
> >         takes
> >         
> >         internal clients and transparently proxies them.  If that's
> >         your setup,
> >         
> > 
> > 
> > here's how I would do it.
> > 
> > 
> >         Start snort:
> >         
> >         sudo snort -Q -D --daq nfq --daq-var device=eth0 --daq-var
> >         queue=1 -c
> >         
> >         snort.conf
> >         
> >         Snort iptables first:
> >         
> >         $iptables -t mangle -I FORWARD -i eth0 -p tcp --dport 80 -j
> >         NFQUEUE
> >         
> >         --queue-num 1
> >         
> >         $iptables -t mangle -I OUTPUT -i eth0 -p tcp --dport 80 -j
> >         NFQUEUE
> >         
> >         --queue-num 1
> >         
> >         Now for Squid
> >         
> >         $iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
> >         REDIRECT
> >         
> >         --to-port 3128
> >         
> >         This should get you what you need, however keep in mind that
> >         snort will
> >         
> >         need to be started first, and because you're sending ONLY
> >         port 80 to the
> >         
> >         NFQUEUE, that's all snort will see as that's all that's
> >         going to the
> >         
> >         queue.  Lastly, you'll need to modify your rules that you
> >         want do drop
> >         
> >         traffic to reflect drop instead of alert...you'll get an
> >         alert in your
> >         
> >         unified (if you're doing that) or fast file (if you're doing
> >         that as
> >         
> >         well) either way with drop or alert, but drop will actively
> >         drop the
> >         
> >         connection.  Check the link below for more info:
> >         
> >         http://www.iptables.info/en/structure-of-iptables.html#MANGLETABLE <
> >         
> >         scroll up to get a nifty diagram.
> >         
> >         Hope that helps.
> >         
> >         James
> >         
> > 
> > 
> >  
> > 
> > Hi,
> > 
> > I did as you said and don't work. Squid is blocking but Snort not
> > working, I mean instead of display alert page it shows some Squid
> > error page "url cannot be retrivered".
> > 
> >  
> > 
> > My commands was:
> > 
> > snort -Q -D --daq nfq --daq-var device=eth1 --daq-var queue=1
> > -c /opt/etc/snort/snort.conf
> > 
> > iptables -t mangle -I FORWARD -i eth1 -p tcp --dport 80 -j NFQUEUE
> > --queue-num 1
> > iptables -t mangle -I OUTPUT -o eth1 -p tcp --dport 80 -j NFQUEUE
> > --queue-num 1
> > 
> >  
> > 
> > eth1 - LAN interface
> > 
> > What is interesting , in above case no packets got in rules in
> > mangle table.. zero:
> > 
> > Chain FORWARD (policy ACCEPT 893 packets, 403K bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     0     0 NFQUEUE    tcp  --  eth1   *       0.0.0.0/0
> > 0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
> > Chain OUTPUT (policy ACCEPT 5009 packets, 3240K bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     0     0 NFQUEUE    tcp  --  *      eth1    0.0.0.0/0
> > 0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
> > 
> > 
> > 
> >  
> > 
> > I tried add to mangle rules without interface:
> > 
> > iptables -t mangle -I FORWARD -p tcp --dport 80 -j NFQUEUE
> > --queue-num 1
> > iptables -t mangle -I OUTPUT -p tcp --dport 80 -j NFQUEUE
> > --queue-num 1
> > and now packets got only to OUTPUT chain:
> > 
> > 
> > Chain FORWARD (policy ACCEPT 12 packets, 989 bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >     0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0
> > 0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
> > Chain OUTPUT (policy ACCEPT 1855 packets, 645K bytes)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >    23  5563 NFQUEUE    tcp  --  *      *       0.0.0.0/0
> > 0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
> > ..but still is an error "url cannot be retrivered"
> > 
> >  
> > 
> > Robert
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud 
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > 
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> Ok....I'll dust off the dev box and run it through some tests...stay
> tuned.
> 
> James 
> 
> ------------------------------------------------------------------------------


So ok...this was fun and weird at the same time.  Here's the setup,
which, though not routing, should get you there.  So here's the setup:

Workstation (192.168.1.2) <switch> Router/Bridge (192.168.1.9, two NIC's
bridged to br0) <(crossover cable> (we'll pretend it's the Internet)
(192.168.1.73).

192.168.1.9 is running snort and squid, squid listening on http_port
3128 and https_port 3129.  192.168.1.73 is running apache listening on
ports 80 and 443.  Snort line:
sudo snort -Q -A cmg -c snort/snort.conf --daq nfq --daq-mode inline
--daq-var device=br0 --daq-var queue=1 -k none

snort rule (in local.rules, the only ruleset enabled):
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
content:"index"; http_uri; sid:1000003; rev:1;)

The below magic combination work:
sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1
sudo iptables -t nat -A PREROUTING -i br0 -s 192.168.1.2 -p tcp --dport
80 -j REDIRECT --to-port 3128

[09:20:22 iMac:~$] wget http://192.168.1.73/index
--2015-04-26 09:20:41--  http://192.168.1.73/index
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... ^C

Apr 26 09:20:44 analysis squid: 192.168.1.2 - - [26/Apr/2015:09:20:44
-0600] "GET http://192.168.1.73/index HTTP/1.1" 0 0
TCP_MISS_ABORTED:ORIGINAL_DST - - -

04/26-09:20:42.843965  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.9:43256 -> 192.168.1.73:80
Stream reassembled packet
04/26-09:20:42.843965 192.168.1.9:43256 -> 192.168.1.73:80
TCP TTL:64 TOS:0x0 ID:14977 IpLen:20 DgmLen:277 DF
***A**** Seq: 0xF8747E23  Ack: 0x127ADA9C  Win: 0x7580  TcpLen: 32
47 45 54 20 2F 69 6E 64 65 78 20 48 54 54 50 2F  GET /index HTTP/
31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  1.1..User-Agent:


Yet choosing something other than index gets the expected results:

[09:20:43 iMac:~$] wget http://192.168.1.73/bleh
--2015-04-26 09:22:05--  http://192.168.1.73/bleh
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2015-04-26 09:22:05 ERROR 404: Not Found.

Apr 26 09:22:06 analysis squid: 192.168.1.2 - - [26/Apr/2015:09:22:06
-0600] "GET http://192.168.1.73/bleh HTTP/1.1" 404 543
TCP_MISS:ORIGINAL_DST - - -

I tested other combinations, but none of them worked.  Whey the above
combo of mangle PREROUTING AND OUTPUT works I haven't a clue.  The above
will pipe ALL traffic through snort...if that's not what you want just
specify the port as you'd like.  What I like about the above is the fact
that it runs snort hybrid, so rules with drop will drop, rules with
alert will only alert.  This will also keep most firewall rules intact
as the mangle table works before your standard "filter" tables.  Hope
that helps.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150426/20809250/attachment.html>


More information about the Snort-users mailing list