[Snort-users] Odp: Re: Odp: Re: Odp: Re: Snort inline with Squid

James Lay jlay at ...13475...
Mon Apr 27 21:10:36 EDT 2015


On Mon, 2015-04-27 at 21:52 +0200, Robert Lasota wrote:

> Dnia Poniedziałek, 27 Kwietnia 2015 17:18 James Lay
> <jlay at ...13475...> napisał(a)
> 
> 
>         On 2015-04-27 07:50 AM, Robert Lasota wrote:
>         
>         > Dnia Niedziela, 26 Kwietnia 2015 21:37 James Lay
>         
>         > <jlay at ...13475...> napisał(a)
>         
>         >
>         
>         >> So ok...this was fun and weird at the same time. Here's the
>         setup,
>         
>         >> which, though not routing, should get you there. So here's
>         the
>         
>         >> setup:
>         
>         >>
>         
>         >> Workstation (192.168.1.2) <switch> Router/Bridge
>         (192.168.1.9, two
>         
>         >> NIC's bridged to br0) <(crossover cable> (we'll pretend
>         it's the
>         
>         >> Internet) (192.168.1.73).
>         
>         >>
>         
>         >> 192.168.1.9 is running snort and squid, squid listening on
>         
>         >> http_port 3128 and https_port 3129. 192.168.1.73 is running
>         apache
>         
>         >> listening on ports 80 and 443. Snort line:
>         
>         >> sudo snort -Q -A cmg -c snort/snort.conf --daq nfq
>         --daq-mode
>         
>         >> inline --daq-var device=br0 --daq-var queue=1 -k none
>         
>         >>
>         
>         >> snort rule (in local.rules, the only ruleset enabled):
>         
>         >> drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic
>         Index Get";
>         
>         >> content:"index"; http_uri; sid:1000003; rev:1;)
>         
>         >>
>         
>         >> The below magic combination work:
>         
>         >> sudo iptables -t mangle -I PREROUTING -j NFQUEUE
>         --queue-num 1
>         
>         >> sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1
>         
>         >> sudo iptables -t nat -A PREROUTING -i br0 -s 192.168.1.2 -p
>         tcp
>         
>         >> --dport 80 -j REDIRECT --to-port 3128
>         
>         >>
>         
>         >> [09:20:22 iMac:~$] wget http://192.168.1.73/index [1]
>         
>         >> --2015-04-26 09:20:41-- http://192.168.1.73/index [1]
>         
>         >> Connecting to 192.168.1.73:80... connected.
>         
>         >> HTTP request sent, awaiting response... ^C
>         
>         >>
>         
>         >> Apr 26 09:20:44 analysis squid: 192.168.1.2 - -
>         
>         >> [26/Apr/2015:09:20:44 -0600] "GET http://192.168.1.73/index
>         
>         >> HTTP/1.1" 0 0 TCP_MISS_ABORTED:ORIGINAL_DST - - -
>         
>         >>
>         
>         >> 04/26-09:20:42.843965 [Drop] [**] [1:1000003:1] HTTP
>         Traffic Index
>         
>         >> Get [**] [Priority: 0] {TCP} 192.168.1.9:43256 ->
>         192.168.1.73:80
>         
>         >> Stream reassembled packet
>         
>         >> 04/26-09:20:42.843965 192.168.1.9:43256 -> 192.168.1.73:80
>         
>         >> TCP TTL:64 TOS:0x0 ID:14977 IpLen:20 DgmLen:277 DF
>         
>         >> ***A**** Seq: 0xF8747E23 Ack: 0x127ADA9C Win: 0x7580
>         TcpLen: 32
>         
>         >> 47 45 54 20 2F 69 6E 64 65 78 20 48 54 54 50 2F GET /index
>         HTTP/
>         
>         >> 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A
>         1.1..User-Agent:
>         
>         >>
>         
>         >> Yet choosing something other than index gets the expected
>         results:
>         
>         >>
>         
>         >> [09:20:43 iMac:~$] wget http://192.168.1.73/bleh [2]
>         
>         >> --2015-04-26 09:22:05-- http://192.168.1.73/bleh [2]
>         
>         >> Connecting to 192.168.1.73:80... connected.
>         
>         >> HTTP request sent, awaiting response... 404 Not Found
>         
>         >> 2015-04-26 09:22:05 ERROR 404: Not Found.
>         
>         >>
>         
>         >> Apr 26 09:22:06 analysis squid: 192.168.1.2 - -
>         
>         >> [26/Apr/2015:09:22:06 -0600] "GET http://192.168.1.73/bleh
>         [2]
>         
>         >> HTTP/1.1" 404 543 TCP_MISS:ORIGINAL_DST - - -
>         
>         >>
>         
>         >> I tested other combinations, but none of them worked. Whey
>         the
>         
>         >> above combo of mangle PREROUTING AND OUTPUT works I haven't
>         a clue.
>         
>         >> The above will pipe ALL traffic through snort...if that's
>         not what
>         
>         >> you want just specify the port as you'd like. What I like
>         about the
>         
>         >> above is the fact that it runs snort hybrid, so rules with
>         drop will
>         
>         >> drop, rules with alert will only alert. This will also keep
>         most
>         
>         >> firewall rules intact as the mangle table works before your
>         standard
>         
>         >> "filter" tables. Hope that helps.
>         
>         >>
>         
>         >> James
>         
>         >
>         
>         > First, big thanks for your engagement and work.
>         
>         >
>         
>         > Second, unfortunately for now we can't use bridge interface
>         in out
>         
>         > router so I don't have even ability to test it. I tried your
>         
>         > suggestions apply just on eth0 insted of br0 but not
>         work ;) . We can
>         
>         > set that if we'll decide to use br0 I'll write here what
>         results we
>         
>         > had.
>         
>         >
>         
>         > Once again thank you for help
>         
>         >
>         
>         > Regards , Robert
>         
>          
>         
>         Hi Robert,
>         
>          
>         
>         Yea...br0 won't work for you as you're not bridging.  That
>         being said,
>         
>         as these:
>         
>          
>         
>         sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
>         
>         sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1
>         
>          
>         
>         are interface independent, they should work across the board.
>         I would
>         
>         try this first:
>         
>         sudo snort -Q -A cmg -c snort/snort.conf --daq nfq --daq-mode
>         inline
>         
>         --daq-var device=eth0:eth1 --daq-var queue=1 -k none <- run
>         that in a
>         
>         console and see the results
>         
>         sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
>         
>         sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1
>         
> 
> 
>  
> 
> I've stopped in this point because its not working :(... with Snort
> only.
> 
>  
> 
> I have your mangle rules, Snort is runed with:
> 
> snort -Q -A cmg -c /opt/etc/snort/snort.conf --daq nfq --daq-mode
> inline --daq-var device=eth1:eth0 --daq-var queue=1 -k none
> 
>  
> 
> eth1 is LAN, I tried also in reverse: eth0:eth1 - no change
> 
>  
> 
> My the one rule in Snort is:
> 
> drop tcp any any -> any $HTTP_PORTS ( content: "usa";
> msg:"Unauthorized Access Prohibited!"; react: msg; sid:4;)
> 
>  
> 
> .. and with my original configs it work. I mean it display info page
> about "access denied" (because of react option). But now when I try to
> enter to lk.net.pl/usaaaa I have still "waiting......". In Snort
> console I have:
> 
> 04/27-19:46:41.783518  [Drop] [**] [1:4:0] Unauthorized Access
> Prohibited! [**] [Priority: 0] {TCP} 79.110.202.194:62559 ->
> 10.192.2.120:5000
> 04/27-19:46:41.783518 79.110.202.194:62559 -> 10.192.2.120:5000
> TCP TTL:116 TOS:0x0 ID:19012 IpLen:20 DgmLen:161 DF
> ***AP*** Seq: 0x188D70D9  Ack: 0x7525B7BE  Win: 0xFDE0  TcpLen: 20
> 06 00 00 00 00 00 00 71 64 72 6F 70 20 74 63 70  .......qdrop tcp
> 20 61 6E 79 20 61 6E 79 20 2D 3E 20 61 6E 79 20   any any -> any
> 24 48 54 54 50 5F 50 4F 52 54 53 20 28 20 63 6F  $HTTP_PORTS ( co
> 6E 74 65 6E 74 3A 20 22 75 73 61 22 3B 20 6D 73  ntent: "usa"; ms
> 67 3A 22 55 6E 61 75 74 68 6F 72 69 7A 65 64 20  g:"Unauthorized
> 41 63 63 65 73 73 20 50 72 6F 68 69 62 69 74 65  Access Prohibite
> 64 21 22 3B 20 72 65 61 63 74 3A 20 6D 73 67 3B  d!"; react: msg;
> 20 73 69 64 3A 34 3B 29 0A                        sid:4;).
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> +=+=+
> 
>  
> 
> So now the only Snort even isn't working (not displayig info page +
> drop)
> 
> Robert
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Ah...yes with inline, drop will not pass the traffic, where as alert
will.  My last bit of advice would be to change your test rule from drop
to alert.  I've not used the react option, so I'll defer to someone else
on the list for that bit.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150427/56e4ca27/attachment.html>


More information about the Snort-users mailing list