No subject


Thu Nov 23 16:36:19 EST 2017


ng the box as well as do the IPS work.



P.S.: Please respond to the list and not only to myself. Its a mutual benef=
it.
YM

Date: Sun, 24 Aug 2014 14:00:20 +0200
Subject: Re: [Snort-users] Snort 2.9.6.2 inline mode problem



From: demonsdebason at ...11827...
To: snort at ...15979...

The same behavior when running with 'eth1:eth2'.



Yeah, the interfaces are in promiscuous, silly me.
Any ideas?



On Sun, Aug 24, 2014 at 7:34 AM, Y M <snort at ...15979...> wrote:





inline.
Date: Sun, 24 Aug 2014 05:02:13 +0200
From: demonsdebason at ...11827...
To: snort-users at lists.sourceforge.net




Subject: [Snort-users] Snort 2.9.6.2 inline mode problem

Hi all.
I've been working on my Snort IPS for some time now.=20
Noticed that 'drop' rules are working half-way, I have set the test rule to=
 drop ICMP coming to the sensor from local machine:






drop icmp 192.168.1.2 any -> 192.168.1.1 any (msg: "Test rule"; sid:110011;)

Alerts get logged and can view them via BASE, but when I ping from .2 to .1=
 I get this:
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.






64 bytes from 192.168.1.1 : icmp_seq=3D1 ttl=3D64 time=3D0.216 ms
>From 192.168.1.1 icmp_seq=3D1 Destination Port Unreachable





64 bytes from 192.168.1.1 : icmp_seq=3D2 ttl=3D64 time=3D0.269 ms

>From 192.168.1.1 icmp_seq=3D2 Destination Port Unreachable
64 bytes from 192.168.1.1 : icmp_seq=3D3 ttl=3D64 time=3D0.221 ms






So some of them are getting 'blocked'.


When I shutdown Snort I's all fine:
64 bytes from 192.168.1.1 : icmp_seq=3D8 ttl=3D64 time=3D0.226 ms




64 bytes from 192.168.1.1
 : icmp_seq=3D9 ttl=3D64 time=3D0.201 ms

64 bytes from 192.168.1.1 : icmp_seq=3D10 ttl=3D64 time=3D0.253 ms
64 bytes from 192.168.1.1




 : icmp_seq=3D11 ttl=3D64 time=3D0.204 ms

Here is my info:


   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.2 GRE (Build 77)=20
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/sn=
ort-team






           Copyright (C) 2014 Cisco and/or its affiliates. All rights reser=
ved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05






           Using ZLIB version: 1.2.3
+++++++++++++++++++++++++++
snort=20=20=20
 41104  4.6  2.0 1675528 1342832 ?     Ssl  04:48   0:00 /usr/sbin/snort
 -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf -Q=20
--daq-mode inline -k none

+++++++++++++++++++++++++++
# Looks like you have double colons "eth1::eth2", as opposed to one colon "=
eth1:eth2". Not sure if the double colons are causing the partial drops.





snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv




afpacket(v5): live inline multi unpriv



++++++++++++++++++++++++++
snort.conf:
config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline

config daq_var: buffer_size_mb=3D1024


I've tried dropping all the ICMPs in the iptables, results are as expected,=
 but Snort still logs the alerts.
Do you have any idea what is the issue here?




# Does Snort log the requests or replies or both? I would image if the NIC =
is promiscuous, then it would still see the requests.=20

--=20
Aut viam inveniam aut faciam
:wq!



---------------------------------------------------------------------------=
---
Slashdot TV.=20=20
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=3Dsnort-users

Please visit http://blog.snort.org to stay current on all the latest Snort =
news!=20=09=09=20=09=20=20=20=09=09=20=20


--=20
Aut viam inveniam aut faciam
:wq!

=20=09=09=20=09=20=20=20=09=09=20=20


--=20
Aut viam inveniam aut faciam
:wq!

=20=09=09=20=09=20=20=20=09=09=20=20


--=20
Aut viam inveniam aut faciam
:wq!

=20=09=09=20=09=20=20=20=09=09=20=20


--=20
Aut viam inveniam aut faciam
:wq!

=20=09=09=20=09=20=20=20=09=09=20=20=

--_f5126606-017d-499d-b27a-75273befc860_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'><div dir=3D"ltr"><div><div><span=
 style=3D"font-size: 12pt;">>As already posted I run it with: </spa=
n></div>>/usr/sbin/snort -D -i eth1:eth2 -u snort -g snort -c /etc/snort=
/snort.conf -l /var/log/snort -Q --daq-mode inline -k none<br>
<br></div>You can drop "--daq-mode inline" from your command since you alre=
ady have the mode defined in snort.conf. Does the box running Snort do anyt=
hing else other than just running Snort?<br></div><div dir=3D"ltr"><br></di=
v><div dir=3D"ltr">Run tcpdump to capture the traffic while running Snort a=
nd test again. See what information the capture might provide. It's a craps=
hoot but you may also want to test on another distro, we have one specific =
case where things didn't work as expected on one distro while it worked fin=
e on another.</div><div dir=3D"ltr"><br></div><div dir=3D"ltr">YM</div><div=
 class=3D"ecxgmail_extra"><br><br><div class=3D"ecxgmail_quote">On Mon, Aug=
 25, 2014 at 7:18 PM, Y M <span dir=3D"ltr"><<a href=3D"mailto:snort at ...979...=
15979..." target=3D"_blank">snort at ...15979...</a>></span> wrote:<br>
<blockquote class=3D"ecxgmail_quote" style=3D"border-left:1px #ccc solid;pa=
dding-left:1ex;">


<div><div dir=3D"ltr">Please post your snort.conf, sanitizing any private i=
nfo. Also the command you use to run Snort.<div><br></div><div>YM<br><br><d=
iv><hr>Date: Sun, 24 Aug 2014 19:58:22 +0200<div><div class=3D"h5"><br>Subj=
ect: Re: [Snort-users] Snort 2.9.6.2 inline mode problem<br>
From: <a href=3D"mailto:demonsdebason at ...11827..." target=3D"_blank">demons=
debason at ...11827...</a><br>To: <a href=3D"mailto:snort at ...15979..." target=
=3D"_blank">snort at ...15979...</a><br>CC: <a href=3D"mailto:snort-users at ...1753...=
s.sourceforge.net" target=3D"_blank">snort-users at lists.sourceforge.net</a><=
br>
<br><div dir=3D"ltr"><div><div><div><div><div>I have already tried with thi=
s rule:<br>drop icmp 192.168.1.2 any -> 8.8.8.8 any (msg: "NEW TEST"; si=
d:10666;)<br><br></div>Also modified 384 ICMP rule:<br>drop icmp $EXTERNAL_=
NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; me=
tadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)<br>

<br></div>Set HOME_NET to any, restarted Snort and got the same crap:<br>PI=
NG 8.8.8.8 (8.8.8.8) 56(84) bytes of data.<br>From 8.8.8.8 icmp_seq=3D1 Des=
tination Port Unreachable<br>64 bytes from <a href=3D"http://8.8.8.8" targe=
t=3D"_blank">8.8.8.8</a>: icmp_seq=3D1 ttl=3D46 time=3D40.6 ms<br>

>From 8.8.8.8 icmp_seq=3D2 Destination Port Unreachable<br>From 8.8.8.8 icm=
p_seq=3D3 Destination Port Unreachable<br>64 bytes from <a href=3D"http://8=
.8.8.8" target=3D"_blank">8.8.8.8</a>: icmp_seq=3D3 ttl=3D46 time=3D40.7 ms=
<br><br></div>
</div>I've set additional rule:<br>
drop icmp any any -> any any (msg: "NEW TEST"; sid:10666;)<br><br></div>=
<div>...and am getting:<br>PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.<br>=


More information about the Snort-users mailing list