Re: Inline and stream 4

["Will Metcalf" <william.metcalf () gmail com>]

On 4/13/06, Pieter Vanmeerbeek <pieter.vanmeerbeek () able be> wrote:
> Hi
>
> I've got a question on a stream 4 configuration. This is our setup:
>
> All traffic from internet and dmz is routed to snort using iptables QUEUE
> statement. All traffic from our router itself and all traffic from the
> secure LAN is NOT routed to snort. We are using the upgradeable rule set
> with all rules set to drop to have an IPS system

You have to be very careful with your iptables if you begin to get
this granular with rules.  I don't care if you have enforce_state on
or not, you need to QUEUE your traffic in such a way that stream4
See's both sides of the conversation.

> This worked fine, however sometimes connections were dropped without
> alerting. After some research I found out that it is the stream4
> preprocessor who was doing this. Adding the midstream_drop_alerts parameter
> solves the problem however may expose us to snot & stick attacks.

Yeah
> 2 questions about this:
>
> 1. I thought a snot & stick attack was designed to bury a hacking attempt
> between other useless attacks and therefore obscure the logging and possible
> recognition. But in an IPS system the attack itself is logged and also
> blocked. So I do not understand why this is may be a problem?

Because as an analyst I actually do detective work to actually try and
figure out what is happening in my network.  Following that train of
thought snot & stick are just as successful as they ever where.

> 2. Apparently the problem of question 1 is not an issue if the inline_state
> parameter is set. However as we do not send all traffic through snort this
> will probably cause a lot of packages to be dropped? Even more general, is
> there a possible state problem when only traffic from internet/dmz is routed
> to snort? In other words would some rules match due to a state problem?

You do not have to send all traffic to snort but you need to QUEUE
your tcp traffic in such a way that stream4 is able to see both sides
of the conversation.  If enforce_state is enabled  and you are only
sending one half of the conversation to stream4, it will drop your
packets because it is only seeing one half of what it needs to,  i.e.
no valid TWH etc....

Regards,

Will
> Kind regards,
> Pieter
>
>
>
> --
> ---------------------------------------------------
> aXs GUARD Training Center
> more info at http://www.axsguard.com/indextraining.htm
>
> aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com)
> ---------------------------------------------------
> Able NV: ond.nr 0457.938.087
> RPR Mechelen
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users