[Snort-users] Odp: Re: Odp: Re: Snort inline with Squid

James Lay jlay at ...13475...
Mon Apr 27 11:18:02 EDT 2015


On 2015-04-27 07:50 AM, Robert Lasota wrote:
> Dnia Niedziela, 26 Kwietnia 2015 21:37 James Lay
> <jlay at ...13475...> napisał(a)
> 
>> So ok...this was fun and weird at the same time. Here's the setup,
>> which, though not routing, should get you there. So here's the
>> setup:
>> 
>> Workstation (192.168.1.2) <switch> Router/Bridge (192.168.1.9, two
>> NIC's bridged to br0) <(crossover cable> (we'll pretend it's the
>> Internet) (192.168.1.73).
>> 
>> 192.168.1.9 is running snort and squid, squid listening on
>> http_port 3128 and https_port 3129. 192.168.1.73 is running apache
>> listening on ports 80 and 443. Snort line:
>> sudo snort -Q -A cmg -c snort/snort.conf --daq nfq --daq-mode
>> inline --daq-var device=br0 --daq-var queue=1 -k none
>> 
>> snort rule (in local.rules, the only ruleset enabled):
>> drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
>> content:"index"; http_uri; sid:1000003; rev:1;)
>> 
>> The below magic combination work:
>> sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
>> sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1
>> sudo iptables -t nat -A PREROUTING -i br0 -s 192.168.1.2 -p tcp
>> --dport 80 -j REDIRECT --to-port 3128
>> 
>> [09:20:22 iMac:~$] wget http://192.168.1.73/index [1]
>> --2015-04-26 09:20:41-- http://192.168.1.73/index [1]
>> Connecting to 192.168.1.73:80... connected.
>> HTTP request sent, awaiting response... ^C
>> 
>> Apr 26 09:20:44 analysis squid: 192.168.1.2 - -
>> [26/Apr/2015:09:20:44 -0600] "GET http://192.168.1.73/index
>> HTTP/1.1" 0 0 TCP_MISS_ABORTED:ORIGINAL_DST - - -
>> 
>> 04/26-09:20:42.843965 [Drop] [**] [1:1000003:1] HTTP Traffic Index
>> Get [**] [Priority: 0] {TCP} 192.168.1.9:43256 -> 192.168.1.73:80
>> Stream reassembled packet
>> 04/26-09:20:42.843965 192.168.1.9:43256 -> 192.168.1.73:80
>> TCP TTL:64 TOS:0x0 ID:14977 IpLen:20 DgmLen:277 DF
>> ***A**** Seq: 0xF8747E23 Ack: 0x127ADA9C Win: 0x7580 TcpLen: 32
>> 47 45 54 20 2F 69 6E 64 65 78 20 48 54 54 50 2F GET /index HTTP/
>> 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 1.1..User-Agent:
>> 
>> Yet choosing something other than index gets the expected results:
>> 
>> [09:20:43 iMac:~$] wget http://192.168.1.73/bleh [2]
>> --2015-04-26 09:22:05-- http://192.168.1.73/bleh [2]
>> Connecting to 192.168.1.73:80... connected.
>> HTTP request sent, awaiting response... 404 Not Found
>> 2015-04-26 09:22:05 ERROR 404: Not Found.
>> 
>> Apr 26 09:22:06 analysis squid: 192.168.1.2 - -
>> [26/Apr/2015:09:22:06 -0600] "GET http://192.168.1.73/bleh [2]
>> HTTP/1.1" 404 543 TCP_MISS:ORIGINAL_DST - - -
>> 
>> I tested other combinations, but none of them worked. Whey the
>> above combo of mangle PREROUTING AND OUTPUT works I haven't a clue.
>> The above will pipe ALL traffic through snort...if that's not what
>> you want just specify the port as you'd like. What I like about the
>> above is the fact that it runs snort hybrid, so rules with drop will
>> drop, rules with alert will only alert. This will also keep most
>> firewall rules intact as the mangle table works before your standard
>> "filter" tables. Hope that helps.
>> 
>> James
> 
> First, big thanks for your engagement and work.
> 
> Second, unfortunately for now we can't use bridge interface in out
> router so I don't have even ability to test it. I tried your
> suggestions apply just on eth0 insted of br0 but not work ;) . We can
> set that if we'll decide to use br0 I'll write here what results we
> had.
> 
> Once again thank you for help
> 
> Regards , Robert

Hi Robert,

Yea...br0 won't work for you as you're not bridging.  That being said, 
as these:

sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1

are interface independent, they should work across the board.  I would 
try this first:
sudo snort -Q -A cmg -c snort/snort.conf --daq nfq --daq-mode inline 
--daq-var device=eth0:eth1 --daq-var queue=1 -k none <- run that in a 
console and see the results
sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1

Then run your tests with snort to see if that's working.  Once you 
verify that, then give your squid redirect a go:
sudo iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp 
--dport 80 -j REDIRECT --to-port 3128

The above all assumes that eth0 is your internal NIC serving your 
internal network of 192.168.1.0/24, so you'll want to change these if 
that's not the case.  I've still got my dev box up as I have some squid 
work still to do...next step for me will be to test this via routed.  
Let me know your results if you have a chance and care to...I'll work 
this from my end as well.

James





More information about the Snort-users mailing list