No subject

Thu Nov 23 16:36:19 EST 2017

6 time=3D40.2 ms<br>

>From icmp_seq=3D2 Destination Port Unreachable<br>From icm=
p_seq=3D3 Destination Port Unreachable<br>From icmp_seq=3D4 Destina=
tion Port Unreachable<br>From icmp_seq=3D5 Destination Port Unreach=

64 bytes from <a href=3D"" target=3D"_blank"></a>: icm=
p_seq=3D5 ttl=3D46 time=3D40.6 ms<br>From icmp_seq=3D6 Destination =
Port Unreachable<br><br></div><div>Tried with and without normalization, wo=
rks the same.<br>
<div>Snort is blocking, but seems not to be able to drop all the traffic:<b=
r>08/24-19:56:03.511103  [Drop] [**] [1:10666:0] NEW TEST [**] [Priori=
ty: 0] {ICMP} -><br>08/24-19:56:03.511145  [Dro=
p] [**] [1:10666:0] NEW TEST [**] [Priority: 0] {ICMP} x.x.x.x -> 8.8.8.=

08/24-19:56:03.551092  [Drop] [**] [1:10666:0] NEW TEST [**] [Priority=
: 0] {ICMP} -><br>08/24-19:56:03.551058  [Drop]=
 [**] [1:10666:0] NEW TEST [**] [Priority: 0] {ICMP} -> x.x.x.x<=

</div></div><div><br><br><div>On Sun, Aug 24, 2014 at 6:29 PM, Y M <span di=
r=3D"ltr"><<a href=3D"mailto:snort at ...15979..." target=3D"_blank">snort@=
...15979...</a>></span> wrote:<br>
<blockquote style=3D"border-left:1px #ccc solid;padding-left:1ex;">

<div><div dir=3D"ltr"><br>Ok, assuming you are setup this way:<div><br></di=
v><div>Internet <---> eth2 | IPS | eth1 <---> local, where eth1=
 and eth2 are the listening (promiscuous) interfaces and through which traf=
fic is passing. When you force Snort into inline mode using afpacket, Snort=
 (logically) bridges the interfaces together to let the traffic pass, other=
wise drop it when matches occur. Looking again at the rule you have, both d=
estinations are local. What happens if you change both destinations (HOME_N=
ET and EXTERNAL_NET) to any/any? Better, take rule sid:384 and modify it an=
d try to ping an external source and see what happens. For troubleshooting =
purposes only, run Snort with -A console or -A cmg so you can see whats goi=
ng directly on the console (without -D).</div>

<div><br></div><div>Also, do you have normalization enabled?</div><div><br>=
</div><div>YM<br><div><hr>Date: Sun, 24 Aug 2014 17:50:27 +0200<div><br>Sub=
ject: Re: [Snort-users] Snort inline mode problem<br>From: <a href=
=3D"mailto:demonsdebason at ...11827..." target=3D"_blank">demonsdebason at ...5119...=

To: <a href=3D"mailto:snort at ...15979..." target=3D"_blank">snort at ...16002...=
.</a><br></div>CC: <a href=3D"mailto:snort-users at" tar=
get=3D"_blank">snort-users at</a><div><div><br><br>
<div dir=3D"ltr"><div><div><div><div><div>Here is the setup:<br><br></div>I=
NTERNET <--> | IPS/router | <--> | local machines |<br><br></di=
v>IPS box has 4 interfaces, where 2 have an address, others don't. It seeme=
d illogical to set Snort to listen on interfaces where no traffic is passin=
g through.<br>

</div>When I set Snort it to use unaddressed interfaces, nothing happens me=
aning no alerts are recorded and ICMP echo test isn't working.<br></div>Tri=
ed setting up bride interfaces and assigning the two unaddressed interface =
to Snort, same results.<br>

</div>The only results I get is having Snort listening the interfaces traff=
ic traverse though.<br></div><div><br><br><div>On Sun, Aug 24, 2014 at 4:24=
 PM, Y M <span dir=3D"ltr"><<a href=3D"mailto:snort at ...15979..." target=
=3D"_blank">snort at ...15979...</a>></span> wrote:<br>

<blockquote style=3D"border-left:1px #ccc solid;padding-left:1ex;">

<div><div dir=3D"ltr">How are you testing/connecting the client (icmp echo =
request sender), the sensor, and the receiver of the icmp? The NICs that Sn=
ort is using to receive --> pass/drop --> forward traffic should be i=
nline with no IP addresses. From your description, it seems that you are us=
ing the same interface to ping the box as well as do the IPS work.<div>

<br></div><div>P.S.: Please respond to the list and not only to myself. Its=
 a mutual benefit.</div><div><br></div><div>YM<br><br><div><hr>Date: Sun, 2=
4 Aug 2014 14:00:20 +0200<br>Subject: Re: [Snort-users] Snort inlin=
e mode problem<br>

From: <a href=3D"mailto:demonsdebason at ...11827..." target=3D"_blank">demons=
debason at ...11827...</a><br>To: <a href=3D"mailto:snort at ...15979..." target=
=3D"_blank">snort at ...15979...</a><div><div><br><br><div dir=3D"ltr"><div>Th=
e same behavior when running with 'eth1:eth2'.<br>

Yeah, the interfaces are in promiscuous, silly me.<br></div><div>Any ideas?=
On Sun, Aug 24, 2014 at 7:34 AM, Y M <span dir=3D"ltr"><<a href=3D"mailt=
o:snort at ...15979..." target=3D"_blank">snort at ...15979...</a>></span> wro=
te:<br><blockquote style=3D"border-left:1px #ccc solid;padding-left:1ex;">

<div><div dir=3D"ltr"><br>inline.<br><div><hr>Date: Sun, 24 Aug 2014 05:02:=
13 +0200<br>From: <a href=3D"mailto:demonsdebason at ...11827..." target=3D"_b=
lank">demonsdebason at ...11827...</a><br>To: <a href=3D"mailto:snort-users at ...6193...=" target=3D"_blank">snort-users at</a=

Subject: [Snort-users] Snort inline mode problem<div><div><br><br><=
div dir=3D"ltr"><div><div><div><div><div><div><div>Hi all.<br></div>I've be=
en working on my Snort IPS for some time now. <br></div>Noticed that 'drop'=
 rules are working half-way, I have set the test rule to drop ICMP coming t=
o the sensor from local machine:<br>

</div>drop icmp any -> any (msg: "Test rule"; si=
d:110011;)<br><br></div>Alerts get logged and can view them via BASE, but w=
hen I ping from .2 to .1 I get this:<br>PING ( 56(8=
4) bytes of data.<br>

64 bytes from <a href=3D"" target=3D"_blank"><=
/a><div style=3D"width:16px;min-height:16px;display:inline-block;"> </=
div>: icmp_seq=3D1 ttl=3D64 time=3D0.216 ms<br>From icmp_seq=3D=
1 Destination Port Unreachable<br>

64 bytes from <a href=3D"" target=3D"_blank"><=
/a><div style=3D"width:16px;min-height:16px;display:inline-block;"> </=
div>: icmp_seq=3D2 ttl=3D64 time=3D0.269 ms<br>
>From icmp_seq=3D2 Destination Port Unreachable<br>64 bytes =
from <a href=3D"" target=3D"_blank"></a><div s=
tyle=3D"width:16px;min-height:16px;display:inline-block;"> </div>: icm=
p_seq=3D3 ttl=3D64 time=3D0.221 ms<br>

<br></div>So some of them are getting 'blocked'.<br><br></div>
When I shutdown Snort I's all fine:<br>64 bytes from <a href=3D"http://192.=
168.1.1" target=3D"_blank"></a><div style=3D"width:16px;min-heig=
ht:16px;display:inline-block;"> </div>: icmp_seq=3D8 ttl=3D64 time=3D0=
.226 ms<br>

64 bytes from <a href=3D"" target=3D"_blank"><=
/a><div style=3D"width:16px;min-height:16px;display:inline-block;">
 </div>: icmp_seq=3D9 ttl=3D64 time=3D0.201 ms<br>
64 bytes from <a href=3D"" target=3D"_blank"><=
/a><div style=3D"width:16px;min-height:16px;display:inline-block;"> </=
div>: icmp_seq=3D10 ttl=3D64 time=3D0.253 ms<br>64 bytes from <a href=3D"ht=
tp://" target=3D"_blank"></a><div style=3D"width:16px=

 </div>: icmp_seq=3D11 ttl=3D64 time=3D0.204 ms<br><br></div>Here is m=
y info:<br>
<br>   ,,_     -*> Snort! <*-<br> =
 o"  )~   Version GRE (Build 77) <br>   ''=
''    By Martin Roesch & The Snort Team: <a href=3D"http=
://" target=3D"_blank">

           Copyright (C) =
2014 Cisco and/or its affiliates. All rights reserved.<br>  &nbsp=
;        Copyright (C) 1998-2013 Sourcef=
ire, Inc., et al.<br>         =
  Using libpcap version 1.4.0<br>      &=
nbsp;    Using PCRE version: 7.8 2008-09-05<br>

           Using ZLIB ver=
sion: 1.2.3<br>+++++++++++++++++++++++++++<br>snort   
 41104  4.6  2.0 1675528 1342832 ?     Ssl&nb=
sp; 04:48   0:00 /usr/sbin/snort
 -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf -Q=20
--daq-mode inline -k none<br>
+++++++++++++++++++++++++++</div><div dir=3D"ltr"><br></div></div></div><di=
v dir=3D"ltr"># Looks like you have double colons "eth1::eth2", as opposed =
to one colon "eth1:eth2". Not sure if the double colons are causing the par=
tial drops.</div>

<div><div dir=3D"ltr"><br></div><div dir=3D"ltr"><br><div>snort --daq-list<=
br>Available DAQ modules:<br>pcap(v3): readback live multi unpriv<br>ipfw(v=
3): live inline multi unpriv<br>dump(v2): readback live inline multi unpriv=

afpacket(v5): live inline multi unpriv<br>

<br>++++++++++++++++++++++++++<br></div><div>snort.conf:<br><br clear=3D"al=
l"></div><div>config policy_mode:inline<br>config daq: afpacket<br>config d=
aq_dir: /usr/lib64/daq<br>config daq_mode: inline<br>
config daq_var: buffer_size_mb=3D1024<br><br></div><div><br></div><div>I've=
 tried dropping all the ICMPs in the iptables, results are as expected, but=
 Snort still logs the alerts.<br></div>Do you have any idea what is the iss=
ue here?</div>

<div dir=3D"ltr"><br></div></div><div dir=3D"ltr"># Does Snort log the requ=
ests or replies or both? I would image if the NIC is promiscuous, then it w=
ould still see the requests. <div><br clear=3D"all">
<br>-- <br>Aut viam inveniam aut faciam<br>:wq!<br>
Slashdot TV.=20=20
Video for Nerds.  Stuff that matters.
<a href=3D"" target=3D"_blank">http://tv.slashdot.or=
Snort-users mailing list
<a href=3D"mailto:Snort-users at" target=3D"_blank">Snor=
t-users at</a>
Go to this URL to change user options or unsubscribe:
<a href=3D"
ers" target=3D"_blank">
Snort-users</a> list archive:
<a href=3D"
users" target=3D"_blank">

Please visit <a href=3D"" target=3D"_blank">http://blo=</a> to stay current on all the latest Snort news!</div> 		 	   =
</blockquote></div><br><br clear=3D"all"><br>-- <br>Aut viam inveniam aut f=
</div></div></div></div></div> 		 	   		  </div></div>
</blockquote></div><br><br clear=3D"all"><br>-- <br>Aut viam inveniam aut f=
</div></div></div></div></div> 		 	   		  </div></div>
</blockquote></div><br><br clear=3D"all"><br>-- <br>Aut viam inveniam aut f=
</div></div></div></div></div> 		 	   		  </div></div>
</blockquote></div><br><br clear=3D"all"><br>-- <br>Aut viam inveniam aut f=
</div> 		 	   		  </div></body>


More information about the Snort-users mailing list