Snort mailing list archives
Re: Re: Snort Behind IPtables, contradicting evidence...
From: John Sage <jsage () finchhaven com>
Date: Thu, 27 Sep 2001 20:43:41 -0700
Bob: Yes.. Bob Hillegas wrote:
If you're interested in snort versus firewall discussion read on. Otherwise this gets kind of deep. Sorry. The question I'm trying to answer is: Does snort on the same box as a packet filter see all the traffic? I think my analysis says yes. That then begs the question, why don't you see any codered traffic in this configuration? I think the answer is that when you DENY packets, you stop the codered transmission at the first SYN packet. It never receives a SYN-ACK, so you never get back the final ACK or any payload.
This whole CodeRed/Nimda deal has been rather anticlimactic for me, because of exactly what you describe.
I've been getting a billion SYN's coming in on tcp:80 but because I DENY that port, I never get to see any of the later elements of the exploits themselves.
Remember that tcp connection establishment has three parts: the intial SYN coming in, my outgoing ACK for that SYN and my outgoing SYN, and then the original source replies with an ACK to my SYN, and off we go... the exploit itself come after the tcp connection is established.
A firewall that DENY's tcp:80 will see the first SYN in multitudes, but nothing else.
Those who accept connections on tcp:80 have to implement other protections, elsewhere.
I guess in a way you could say it's so very safe being chaste, but it's also kinda boring... ;-)
- John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..."
Someone who has received the full codered transmission can comment more authoritatively than I on that. On Thu, 27 Sep 2001 JSeddon () semtech com wrote:Message: 4 To: snort-users () lists sourceforge net From: JSeddon () semtech com Date: Thu, 27 Sep 2001 08:53:46 -0700 Subject: [Snort-users] Snort Behind IPtables, contradicting evidence... Honorable Oinkers, I fretted a long time before I sent this because I know it's been discussed many times and we are all very busy. However, I wanted to bring it up because either I am missing or misreading something or the evidence I have seen does not support the consensus reached on this list. I'm running snort on my firewall and have questions about whether snort will see traffic that iptables is configured to block. The question is, "If you run snort on a box with iptables blocking/filtering stuff, will snort see/process all the traffic?". I gleaned over the archives and it seems the consensus of the list was that "yes, snort will see the traffic". One reason given was that the packet capture library takes packets and passes them to snort before the normal tcp stack processing. So, iptables doesn't get a chance to see it. There were also several people who said they were running snort on iptables firewalls and it was working fine. However, I wasn't seeing the waves of Code Red traffic (or nimda for that matter). I thought that perhaps my ISP was filtering the Code Red Traffic. Just for kicks, I flushed my iptables chains. BAM! Snort starting alerting on all kinds of Code Red traffic. Ran rc.firewall again, no snort alerts. Hmmm..I said, maybe a coinky dink....Flushed again, waves of code red alerts....put the rules back in the chains....No alerts...I decided to let it go a day...sure enough, no rules in chains and snort sees the traffic, put the rules back in the chains and snort doesn't. This seems to contradict the conclusion I got from the list archives. It seems that iptables is processing traffic before snort gets a chance to see it. Snort is putting the NIC in promiscuous mode. But it doesn't see traffic iptables is configured to block unless I flush the IPtables rules. Is something misconfigured with snort for me? Did I draw the wrong conclusion from the list? Architecture: x86 OS: RedHat 7.1 Rules: Snort.org standard rules Command Line: snort -c /etc/snort/snort.conf -d -D -h myfirewall.ext.ip/32 -i eth0 Other: It is a ClarkConnect box (www.clarkconnect.org, pretty neat toy actually). Oinker (still a Piglet) James
<snippage> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Behind IPtables, contradicting evidence... JSeddon (Sep 27)
- Re: Snort Behind IPtables, contradicting evidence... John Sage (Sep 27)
- <Possible follow-ups>
- Re: Snort Behind IPtables, contradicting evidence... Bob Hillegas (Sep 27)
- RE: Re: Snort Behind IPtables, contradicting evidence... John Berkers (Sep 27)
- Re: Re: Snort Behind IPtables, contradicting evidence... John Sage (Sep 27)
- Re: Re: Snort Behind IPtables, contradicting evidence... JSeddon (Sep 27)
- RE: Re: Snort Behind IPtables, contradicting evidence... Martijn Heemels (Sep 28)