Re: snort inline Test

[Björn Meier <bjoern.meier () googlemail com>]

Zeinab Zali wrote:
> Thanks.
> What other simple attacks do you propose to test snort inline? I want 
> to see unsuccessful try of an attack as a result of dropping packets 
> via snort.
>
> On Mon, Jun 29, 2009 at 3:56 PM, Joel Esler <jesler () sourcefire com 
> <mailto:jesler () sourcefire com>> wrote:
>
>     i would suggest testing your installation with something other
>     than a portscan. As a portscan event is simply an aggregate of
>     connections made. (simply put)
>
>     --
>     Sent from my iPhone
>
>     On Jun 29, 2009, at 2:41 PM, Zeinab Zali <zeinabzali () gmail com
>     <mailto:zeinabzali () gmail com>> wrote:
>
> >     Thanks much for your reply.
> >     I have changed all the snort rules (snort, preprocessor and
> >     decoder rules) as you said. but portscan is still performed
> >     successfully. it seems snort can't drop any portscan packet. what
> >     is wrong with this configuration?
> >
> >     On Mon, Jun 29, 2009 at 6:49 AM, Joel Esler
> >     <jesler () sourcefire com <mailto:jesler () sourcefire com>> wrote:
> >
> >         You have to instruct Snort on what to drop.  The easiest way
> >         to do this is to change the rule you want to drop the traffic
> >         from "alert" to "drop" in the first word of the rule within
> >         the individual rule files.
> >
> >         For portscan traffic you would have to use the preprocessor
> >         rules.
> >
> >         J
> >
> >         On Sat, Jun 27, 2009 at 7:29 AM, Zeinab Zali
> >         <zeinabzali () gmail com <mailto:zeinabzali () gmail com>> wrote:
> >
> >             Hi,
> >             I have compiled snort with --enable-inline mode
> >             successfully. I configure iptables with below commands:
> >             "
> >             modprobe ip_queue
> >             export QUEUE="yes"
> >             iptables -F FORWARD
> >             iptables -F INPUT
> >             iptables -F OUTPUT
> >             iptables -A OUTPUT -j QUEUE
> >             iptables -A INPUT -j QUEUE
> >             iptables -A FORWARD -j QUEUE
> >             "
> >             Then I changed all the snort alert rules to drop rules.
> >             for testing I run snort with below command:
> >             "snort -c ./etc/snort_inline.conf  -Q  -l
> >             /var/log/snort_inline/ -v"
> >             then I try to portscan my computer from another computer
> >             with nmap. Snort generated portscan alert, but I the
> >             portscanning procedure with nmap was done successfully
> >             too. I expect snort inline not to allow nmap portscan.
> >             What is the problem?
> >             Thanks in advance,
> >
> >             -- 
> >             Zeynab Zali
> >
> >             ------------------------------------------------------------------------------

hi,
 
IMHO snort is a stealth IDS (alert but don't do anything else) and so I 
use it. You want to drop Portscan-packages? Not THAT easy. We have an 
network with an Windows 2003 Domaincontroller which does portscans on a 
few hosts. Should I disable scan for that? NO! I get noticed, so I know 
he works as expected.
What I would to say is, portscan ist not an attack (maybe a preparing).

You want to test snort? Well, you have all the information you need. All 
rules defining packages where snot bring an action on it. So, generate 
these packages and see how snort act.

Package generator: bittwist.sourceforge.net

see you later,
Björn

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users