Snort mailing list archives
RE: new user - snort is not droping pacekts
From: "Joshua Berry" <jberry () PENSON COM>
Date: Tue, 15 Feb 2005 09:30:15 -0600
Flexresp and flexresp2 send resets, these work by just monitoring the wire on the SPAN port you have setup. This is probably what the ISS boxes you had were doing. Snort-inline can send resets but is really meant to silently drop the packets in place. You have iptables rules with a target of -j QUEUE, and run snort with the -Q option. Snort is sent the traffic that iptables gets and if a rule matches then it drops the packet (if the action is set to drop, reset if the action is set to reset), if not it hands the packet back to iptables to allow it and route it to the destination. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of lokesh.khanna () accelonafrica com Sent: Tuesday, February 15, 2005 9:07 AM To: Alex.Butcher () bristol ac uk; snort-users () lists sourceforge net Subject: RE: [Snort-users] new user - snort is not droping pacekts Hi Thanks again. If I understand correctly, snort-inline is capable of sending TCP RST to drop the session. So it will only drop hacking attempts packets (depend on signature). It will not drop genuine packet from same host. This is how manhunt works. Secondly I don't understand why people use Snort instead of snort-inline. What are advantages and disadvantages of using snort and snort-inline? Cordially, LK -----Original Message----- From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher () bristol ac uk] Sent: 15 February 2005 14:39 To: Lokesh Khanna; snort-users () lists sourceforge net Subject: RE: [Snort-users] new user - snort is not droping pacekts --On 15 February 2005 10:47 +0100 lokesh.khanna () accelonafrica com wrote:
Thanks again for reply. But it is confusing me more. As per my knowledge I can not set a rule using IPCHAIN which will drop a packets based on content in the
packet.
What I am able to understand is if I use IDS in INLINE mode, IDS will act as a router and based on alerts, IDS will insert rules in IPTABLE.
See <http://www.snort.org/docs/snort_manual/node7.html> Essentially, when running in inline mode, Snort can either cause the *packet* matching a rule to be dropped (with or without logging), or it can reject the packet (using TCP RST or ICMP dest unreachable packets) so as to terminate the session. Snort running in inline mode won't blacklist all traffic from alert-generating hosts, unless you use flexresp or snortsam to tie it in with a firewall (be that iptables/netfilter, Cisco, or FW-1)
I can have a genuine traffic from an IP address and virus traffic from same IP address. So content of that packet will define if packet
should
drop or it should not. How IPCHAIN will handle this?
To be honest, this perhaps isn't the best place to ask about snort inline - I haven't used it, so everything I've told you has come from reading the snort manual, <http://snort-inline.sourceforge.net/index.html> and <http://sourceforge.net/projects/snort-inline/>.
Cordially, LK
HTH, Alex.
-----Original Message----- From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher () bristol ac uk] Sent: 15 February 2005 10:34 To: Lokesh Khanna; snort-users () lists sourceforge net Subject: RE: [Snort-users] new user - snort is not droping pacekts --On 15 February 2005 10:23 +0100 lokesh.khanna () accelonafrica com
wrote:
I remember in real secure or manhunt, I used to configure a port in mirroring mode on switch and I put IDS on that port. All our trafficwasgoing through that mirrored port. Based on rules defined in IDS, itwasdropping / logging packets.Logging, yes, but those products would only have been dropping (i.e. blocking, rejecting) packets if they were interacting with a firewall
or
router in some way (or they were running in some kind of IPS mode,
which
you seem to indicate was not the case).If I understand correctly, do I need to pass all traffic through IDS box.If you're using inline mode, yes, the snort machine will be acting as
a
router (actually an Intrusion _Prevention_ System or IPS). See <http://snort-inline.sourceforge.net/> and README.INLINE for more info on inline mode. Note that 2.3.0 integrates the inline stuff IIRC.IDS will act as a router also. And based on alerts, IDS will make modification in IPCHAIN and will drop or allow packets.See the above site for the details.Or is there any other way out? How can I find out documents on this?<http://www.snortsam.net/> and README.FLEXRESP and README.FLEXRESP2 in the snort docs.Cordially, LKBest Regards, Alex.
-- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- Re: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- <Possible follow-ups>
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Alex Butcher, ISC/ISYS (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts Joshua Berry (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- RE: new user - snort is not droping pacekts Chris Vaughan (Feb 15)
- RE: new user - snort is not droping pacekts lokesh.khanna (Feb 15)
- suppresing events from privat lan hans (Feb 16)
- Re: suppresing events from privat lan Matt Kettler (Feb 16)
- Re: suppresing events from private lan hans (Feb 16)
- Re: suppresing events from private lan Matt Kettler (Feb 17)
- Re: suppresing events from private lan hans (Feb 17)
- Re: suppresing events from private lan Matt Kettler (Feb 17)
- Re: suppresing events from private lan hans (Feb 18)
- suppresing events from privat lan hans (Feb 16)