Snort mailing list archives
RE: Snort + ipchains
From: "John Berkers" <berjo () ozemail com au>
Date: Sun, 2 Dec 2001 12:19:00 +1100
As I recall from the discussion some time ago, it was decided that a box running both firewall and snort would only see traffic that is allowed through the firewall rules because the initial handshake is never completed. The SYN packet is always blocked, and therefore the exploit packet will never be seen. What this amounts to is only being able to see SYN based traffic and exploits on ports that are open (perhaps for a specific set of addresses). It was suggested at the time that the FAQ should be updated, but as far as I can tell it still only says: 4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet... A: Your firewall rules will also block traffic to the snort processes. Perhaps it should be brought up-to-date by adding something like this: 4.19 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Snort is on my firewall (ipf/pf/ipchains/ipfilter) and awfully quiet... A: While Snort also sees the packets that the firewall does, if the exploit that the signature catches requires a connection to be established, the exploit will never be sent. The firewall blocks the three-way-handshake process and you never get a connection, therefore you never get the exploit packet. Just my take on the situation. Hope that clears up some questions. Regards, John Berkers ICQ: 112912 Network Services Hansen Corporation john.berkers () hancorp com au berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of John Sage Sent: Sunday, 2 December 2001 8:34 To: Guillaume Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort + ipchains Guillaume: Guillaume wrote:
En réponse à John Sage <jsage () finchhaven com>:Guillaume: It's interesting to note that the HOW-TO doesn't even mention -o except in a crossreference to ipfwadm commands. man ipchains says "Copy matching packets to the user space device..." I've never used it; hardly knew it existed. What exactly are you hoping to accomplish?I would like to capture rejected/denyied packets in raw binary format for
a
kind of forensic analysis, in seek of new attacks tracks. For that,
ipchains
logs are not enough. All I can do is suspecting these packets just because
they
were rejected by ipchains...
That sounds a lot like what I'm doing: My method is to run snort in -b binary capture mode against my own rulesets that essentially act upon *every* packet by either alerting (on a specific port, for example..) or by alerting/logging entire port ranges so that everything is captured. Here's an example of the rules that act upon ports: # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP to 445 Win2k SMB";) alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"TCP from 445 Win2k SMB";) # And upon port ranges: # Blanket ALERT FROM ranges, leave holes for services we like ;-) # alert tcp $EXTERNAL_NET 0:20 -> $HOME_NET any (msg:"TCP from range 0-20";) # 21 ftp alert tcp $EXTERNAL_NET 22:24 -> $HOME_NET any (msg:"TCP from range 22-24";) # 25 smtp alert tcp $EXTERNAL_NET 26:42 -> $HOME_NET any (msg:"TCP from range 26-42";) # 43 whois alert tcp $EXTERNAL_NET 44:79 -> $HOME_NET any (msg:"TCP from range 44-79";) # 80 http alert tcp $EXTERNAL_NET 81:109 -> $HOME_NET any (msg:"TCP from range 81-109";) # 110 pop3 (Now, having said this, let me say that my ipchains rules actually block most of those ports that seem to be open, by limiting connections to a specific set of source IP's...) Here's an example of the rules (bi-directional) that log entire ranges: # Blanket LOG FROM bidirectional ranges so everything is logged # log tcp $EXTERNAL_NET 0:1024 <> $HOME_NET any (msg:"TCP to/from range 0-1024";) log tcp $EXTERNAL_NET 1025:60999 <> $HOME_NET any (msg:"TCP to/from range 1025-60999";) log tcp $EXTERNAL_NET 61000:65095 <> $HOME_NET any (msg:"TCP to/from masq range";) log tcp $EXTERNAL_NET 65096:65535 <> $HOME_NET any (msg:"TCP to/from beyond masq range";) # # run with: snort -b -i ppp0 -c /usr/local/snort-1.8.2/snort182.conf & The net effect is that *every* packet is accounted-for, somehow, both incoming and outgoing. Later I analyze the binary logs with the rules that come provided with snort... HTH.. - John
My thought is capturing all that and perform snort or any other network
utility
post-analysis. The hardest part being that, if ipchains and snort are up to date, no
signature
or rule will match captured traffic... But the goal is to write new ones. Guillaume *********************************** Sent with HORDE/IMP (www.horde.org)
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort + ipchains Guillaume (Nov 30)
- Re: Snort + ipchains John Sage (Nov 30)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Erek Adams (Dec 01)
- Re: Snort + ipchains Ed Wiget (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 01)
- Re: Snort + ipchains John Sage (Nov 30)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains John Berkers (Dec 01)
- Re: Snort + ipchains John Sage (Dec 01)
- RE: Snort + ipchains Martijn Heemels (Dec 02)
- Re: Snort + ipchains John Sage (Dec 02)