No subject


Thu Nov 23 16:36:19 EST 2017


ng the box as well as do the IPS work.
P.S.: Please respond to the list and not only to myself. Its a mutual benef=
it.
YM

Date: Sun, 24 Aug 2014 14:00:20 +0200
Subject: Re: [Snort-users] Snort 2.9.6.2 inline mode problem
From: demonsdebason at ...11827...
To: snort at ...15979...

The same behavior when running with 'eth1:eth2'.
Yeah, the interfaces are in promiscuous, silly me.
Any ideas?



On Sun, Aug 24, 2014 at 7:34 AM, Y M <snort at ...15979...> wrote:





inline.
Date: Sun, 24 Aug 2014 05:02:13 +0200
From: demonsdebason at ...11827...
To: snort-users at lists.sourceforge.net

Subject: [Snort-users] Snort 2.9.6.2 inline mode problem

Hi all.
I've been working on my Snort IPS for some time now.=20
Noticed that 'drop' rules are working half-way, I have set the test rule to=
 drop ICMP coming to the sensor from local machine:



drop icmp 192.168.1.2 any -> 192.168.1.1 any (msg: "Test rule"; sid:110011;)

Alerts get logged and can view them via BASE, but when I ping from .2 to .1=
 I get this:
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.



64 bytes from 192.168.1.1 : icmp_seq=3D1 ttl=3D64 time=3D0.216 ms
>From 192.168.1.1 icmp_seq=3D1 Destination Port Unreachable


64 bytes from 192.168.1.1 : icmp_seq=3D2 ttl=3D64 time=3D0.269 ms

>From 192.168.1.1 icmp_seq=3D2 Destination Port Unreachable
64 bytes from 192.168.1.1 : icmp_seq=3D3 ttl=3D64 time=3D0.221 ms



So some of them are getting 'blocked'.


When I shutdown Snort I's all fine:
64 bytes from 192.168.1.1 : icmp_seq=3D8 ttl=3D64 time=3D0.226 ms

64 bytes from 192.168.1.1
 : icmp_seq=3D9 ttl=3D64 time=3D0.201 ms

64 bytes from 192.168.1.1 : icmp_seq=3D10 ttl=3D64 time=3D0.253 ms
64 bytes from 192.168.1.1

 : icmp_seq=3D11 ttl=3D64 time=3D0.204 ms

Here is my info:


   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.2 GRE (Build 77)=20
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/sn=
ort-team



           Copyright (C) 2014 Cisco and/or its affiliates. All rights reser=
ved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05



           Using ZLIB version: 1.2.3
+++++++++++++++++++++++++++
snort=20=20=20
 41104  4.6  2.0 1675528 1342832 ?     Ssl  04:48   0:00 /usr/sbin/snort
 -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf -Q=20
--daq-mode inline -k none

+++++++++++++++++++++++++++
# Looks like you have double colons "eth1::eth2", as opposed to one colon "=
eth1:eth2". Not sure if the double colons are causing the partial drops.


snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv

afpacket(v5): live inline multi unpriv



++++++++++++++++++++++++++
snort.conf:
config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline

config daq_var: buffer_size_mb=3D1024


I've tried dropping all the ICMPs in the iptables, results are as expected,=
 but Snort still logs the alerts.
Do you have any idea what is the issue here?

# Does Snort log the requests or replies or both? I would image if the NIC =
is promiscuous, then it would still see the requests.=20

--=20
Aut viam inveniam aut faciam
:wq!



---------------------------------------------------------------------------=
---
Slashdot TV.=20=20
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=3Dsnort-users

Please visit http://blog.snort.org to stay current on all the latest Snort =
news!=20=09=09=20=09=20=20=20=09=09=20=20


--=20
Aut viam inveniam aut faciam
:wq!

=20=09=09=20=09=20=20=20=09=09=20=20=

--_0cdc5cad-2db3-4681-91e9-6a0296652d3b_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'>How are you testing/connecting t=
he client (icmp echo request sender), the sensor, and the receiver of the i=
cmp? The NICs that Snort is using to receive --> pass/drop --> forwar=
d traffic should be inline with no IP addresses. From your description, it =
seems that you are using the same interface to ping the box as well as do t=
he IPS work.<div><br></div><div>P.S.: Please respond to the list and not on=
ly to myself. Its a mutual benefit.</div><div><br></div><div>YM<br><br><div=
><hr id=3D"stopSpelling">Date: Sun, 24 Aug 2014 14:00:20 +0200<br>Subject: =
Re: [Snort-users] Snort 2.9.6.2 inline mode problem<br>From: demonsdebason@=
...11827...<br>To: snort at ...15979...<br><br><div dir=3D"ltr"><div>The same =
behavior when running with 'eth1:eth2'.<br>Yeah, the interfaces are in prom=
iscuous, silly me.<br></div><div>Any ideas?<br></div></div><div class=3D"ec=
xgmail_extra"><br><br><div class=3D"ecxgmail_quote">
On Sun, Aug 24, 2014 at 7:34 AM, Y M <span dir=3D"ltr"><<a href=3D"mailt=
o:snort at ...15979..." target=3D"_blank">snort at ...15979...</a>></span> wro=
te:<br><blockquote class=3D"ecxgmail_quote" style=3D"border-left:1px #ccc s=
olid;padding-left:1ex;">



<div><div dir=3D"ltr"><br>inline.<br><div><hr>Date: Sun, 24 Aug 2014 05:02:=
13 +0200<br>From: <a href=3D"mailto:demonsdebason at ...11827..." target=3D"_b=
lank">demonsdebason at ...11827...</a><br>To: <a href=3D"mailto:snort-users at ...6193...=
sts.sourceforge.net" target=3D"_blank">snort-users at lists.sourceforge.net</a=
><br>
Subject: [Snort-users] Snort 2.9.6.2 inline mode problem<div><div class=3D"=
h5"><br><br><div dir=3D"ltr"><div><div><div><div><div><div><div>Hi all.<br>=
</div>I've been working on my Snort IPS for some time now. <br></div>Notice=
d that 'drop' rules are working half-way, I have set the test rule to drop =
ICMP coming to the sensor from local machine:<br>


</div>drop icmp 192.168.1.2 any -> 192.168.1.1 any (msg: "Test rule"; si=
d:110011;)<br><br></div>Alerts get logged and can view them via BASE, but w=
hen I ping from .2 to .1 I get this:<br>PING 192.168.1.1 (192.168.1.1) 56(8=
4) bytes of data.<br>


64 bytes from <a href=3D"http://192.168.1.1" target=3D"_blank">192.168.1.1<=
/a><div style=3D"width:16px;min-height:16px;display:inline-block;"> </=
div>: icmp_seq=3D1 ttl=3D64 time=3D0.216 ms<br>From 192.168.1.1 icmp_seq=3D=
1 Destination Port Unreachable<br>

64 bytes from <a href=3D"http://192.168.1.1" target=3D"_blank">192.168.1.1<=
/a><div style=3D"width:16px;min-height:16px;display:inline-block;"> </=
div>: icmp_seq=3D2 ttl=3D64 time=3D0.269 ms<br>
>From 192.168.1.1 icmp_seq=3D2 Destination Port Unreachable<br>64 bytes =
from <a href=3D"http://192.168.1.1" target=3D"_blank">192.168.1.1</a><div s=
tyle=3D"width:16px;min-height:16px;display:inline-block;"> </div>: icm=
p_seq=3D3 ttl=3D64 time=3D0.221 ms<br>

<br></div>So some of them are getting 'blocked'.<br><br></div>
When I shutdown Snort I's all fine:<br>64 bytes from <a href=3D"http://192.=
168.1.1" target=3D"_blank">192.168.1.1</a><div style=3D"width:16px;min-heig=
ht:16px;display:inline-block;"> </div>: icmp_seq=3D8 ttl=3D64 time=3D0=
.226 ms<br>
64 bytes from <a href=3D"http://192.168.1.1" target=3D"_blank">192.168.1.1<=
/a><div style=3D"width:16px;min-height:16px;display:inline-block;">
 </div>: icmp_seq=3D9 ttl=3D64 time=3D0.201 ms<br>
64 bytes from <a href=3D"http://192.168.1.1" target=3D"_blank">192.168.1.1<=
/a><div style=3D"width:16px;min-height:16px;display:inline-block;"> </=
div>: icmp_seq=3D10 ttl=3D64 time=3D0.253 ms<br>64 bytes from <a href=3D"ht=
tp://192.168.1.1" target=3D"_blank">192.168.1.1</a><div style=3D"width:16px=
;min-height:16px;display:inline-block;">

 </div>: icmp_seq=3D11 ttl=3D64 time=3D0.204 ms<br><br></div>Here is m=
y info:<br>
<br>   ,,_     -*> Snort! <*-<br> =
 o"  )~   Version 2.9.6.2 GRE (Build 77) <br>   ''=
''    By Martin Roesch & The Snort Team: <a href=3D"http=
://www.snort.org/snort/snort-team" target=3D"_blank">http://www.snort.org/s=
nort/snort-team</a><br>


           Copyright (C) =
2014 Cisco and/or its affiliates. All rights reserved.<br>  &nbsp=
;        Copyright (C) 1998-2013 Sourcef=
ire, Inc., et al.<br>         =
  Using libpcap version 1.4.0<br>      &=
nbsp;    Using PCRE version: 7.8 2008-09-05<br>


           Using ZLIB ver=
sion: 1.2.3<br>+++++++++++++++++++++++++++<br>snort   
 41104  4.6  2.0 1675528 1342832 ?     Ssl&nb=
sp; 04:48   0:00 /usr/sbin/snort
 -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf -Q=20
--daq-mode inline -k none<br>
+++++++++++++++++++++++++++</div><div dir=3D"ltr"><br></div></div></div><di=
v dir=3D"ltr"># Looks like you have double colons "eth1::eth2", as opposed =
to one colon "eth1:eth2". Not sure if the double colons are causing the par=
tial drops.</div>
<div><div dir=3D"ltr"><br></div><div dir=3D"ltr"><br><div>snort --daq-list<=
br>Available DAQ modules:<br>pcap(v3): readback live multi unpriv<br>ipfw(v=
3): live inline multi unpriv<br>dump(v2): readback live inline multi unpriv=
<br>
afpacket(v5): live inline multi unpriv<br>

<br>++++++++++++++++++++++++++<br></div><div>snort.conf:<br><br clear=3D"al=
l"></div><div>config policy_mode:inline<br>config daq: afpacket<br>config d=
aq_dir: /usr/lib64/daq<br>config daq_mode: inline<br>
config daq_var: buffer_size_mb=3D1024<br><br></div><div><br></div><div>I've=
 tried dropping all the ICMPs in the iptables, results are as expected, but=
 Snort still logs the alerts.<br></div>Do you have any idea what is the iss=
ue here?</div>
<div dir=3D"ltr"><br></div></div><div dir=3D"ltr"># Does Snort log the requ=
ests or replies or both? I would image if the NIC is promiscuous, then it w=
ould still see the requests. <div><br clear=3D"all">
<br>-- <br>Aut viam inveniam aut faciam<br>:wq!<br>
</div></div>
<br>-----------------------------------------------------------------------=
-------
Slashdot TV.=20=20
Video for Nerds.  Stuff that matters.
<a href=3D"http://tv.slashdot.org/" target=3D"_blank">http://tv.slashdot.or=
g/</a><br>_______________________________________________
Snort-users mailing list
<a href=3D"mailto:Snort-users at lists.sourceforge.net" target=3D"_blank">Snor=
t-users at lists.sourceforge.net</a>
Go to this URL to change user options or unsubscribe:
<a href=3D"https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-us=
ers" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/snort-u=
sers
Snort-users</a> list archive:
<a href=3D"http://sourceforge.net/mailarchive/forum.php?forum_name=3Dsnort-=
users" target=3D"_blank">http://sourceforge.net/mailarchive/forum.php?forum=
_name=3Dsnort-users</a>

Please visit <a href=3D"http://blog.snort.org" target=3D"_blank">http://blo=
g.snort.org</a> to stay current on all the latest Snort news!</div> 		 	   =
		  </div></div>
</blockquote></div><br><br clear=3D"all"><br>-- <br>Aut viam inveniam aut f=
aciam<br>:wq!<br>
</div></div></div> 		 	   		  </div></body>
</html>=

--_0cdc5cad-2db3-4681-91e9-6a0296652d3b_--




More information about the Snort-users mailing list