Snort mailing list archives
Re: snort inline Test
From: Björn Meier <bjoern.meier () googlemail com>
Date: Tue, 30 Jun 2009 08:38:59 +0200
Zeinab Zali wrote:
Thanks. What other simple attacks do you propose to test snort inline? I want to see unsuccessful try of an attack as a result of dropping packets via snort. On Mon, Jun 29, 2009 at 3:56 PM, Joel Esler <jesler () sourcefire com <mailto:jesler () sourcefire com>> wrote: i would suggest testing your installation with something other than a portscan. As a portscan event is simply an aggregate of connections made. (simply put) -- Sent from my iPhone On Jun 29, 2009, at 2:41 PM, Zeinab Zali <zeinabzali () gmail com <mailto:zeinabzali () gmail com>> wrote:Thanks much for your reply. I have changed all the snort rules (snort, preprocessor and decoder rules) as you said. but portscan is still performed successfully. it seems snort can't drop any portscan packet. what is wrong with this configuration? On Mon, Jun 29, 2009 at 6:49 AM, Joel Esler <jesler () sourcefire com <mailto:jesler () sourcefire com>> wrote: You have to instruct Snort on what to drop. The easiest way to do this is to change the rule you want to drop the traffic from "alert" to "drop" in the first word of the rule within the individual rule files. For portscan traffic you would have to use the preprocessor rules. J On Sat, Jun 27, 2009 at 7:29 AM, Zeinab Zali <zeinabzali () gmail com <mailto:zeinabzali () gmail com>> wrote: Hi, I have compiled snort with --enable-inline mode successfully. I configure iptables with below commands: " modprobe ip_queue export QUEUE="yes" iptables -F FORWARD iptables -F INPUT iptables -F OUTPUT iptables -A OUTPUT -j QUEUE iptables -A INPUT -j QUEUE iptables -A FORWARD -j QUEUE " Then I changed all the snort alert rules to drop rules. for testing I run snort with below command: "snort -c ./etc/snort_inline.conf -Q -l /var/log/snort_inline/ -v" then I try to portscan my computer from another computer with nmap. Snort generated portscan alert, but I the portscanning procedure with nmap was done successfully too. I expect snort inline not to allow nmap portscan. What is the problem? Thanks in advance, -- Zeynab Zali ------------------------------------------------------------------------------
hi, IMHO snort is a stealth IDS (alert but don't do anything else) and so I use it. You want to drop Portscan-packages? Not THAT easy. We have an network with an Windows 2003 Domaincontroller which does portscans on a few hosts. Should I disable scan for that? NO! I get noticed, so I know he works as expected. What I would to say is, portscan ist not an attack (maybe a preparing). You want to test snort? Well, you have all the information you need. All rules defining packages where snot bring an action on it. So, generate these packages and see how snort act. Package generator: bittwist.sourceforge.net see you later, Björn ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort inline Test Zeinab Zali (Jun 27)
- Re: snort inline Test Joel Esler (Jun 29)
- Re: snort inline Test Keith Konecnik (Jun 29)
- Re: snort inline Test Zeinab Zali (Jun 29)
- Re: snort inline Test Zeinab Zali (Jun 29)
- Re: snort inline Test Joel Esler (Jun 29)
- Re: snort inline Test Zeinab Zali (Jun 29)
- Re: snort inline Test Björn Meier (Jun 29)
- Re: snort inline Test Joel Esler (Jun 30)
- Re: snort inline Test Keith Konecnik (Jun 30)
- Re: snort inline Test Keith Konecnik (Jun 29)
- Re: snort inline Test Joel Esler (Jun 29)
- Re: snort inline Test Joel Esler (Jun 29)
- Re: snort inline Test Will Metcalf (Jun 29)