Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort inline Test

From: Keith Konecnik <kkonecnik () sourcefire com>
Date: Tue, 30 Jun 2009 09:45:42 -0400
If your main concern is just see/testing that packets get dropped you can
write a rule specific to the endpoints with the action of drop. At that
point you can base the rule on something like ssh, ping, http etc. Then if
you get your alert and, for example, your endpoints can't ping each other
you know its dropping a packet.
-k

On Tue, Jun 30, 2009 at 12:41 AM, Zeinab Zali <zeinabzali () gmail com> wrote:


Thanks.
What other simple attacks do you propose to test snort inline? I want to
see unsuccessful try of an attack as a result of dropping packets via snort.


On Mon, Jun 29, 2009 at 3:56 PM, Joel Esler <jesler () sourcefire com> wrote:


i would suggest testing your installation with something other than a
portscan. As a portscan event is simply an aggregate of connections made.
(simply put)

--
Sent from my iPhone

On Jun 29, 2009, at 2:41 PM, Zeinab Zali <zeinabzali () gmail com> wrote:

Thanks much for your reply.
I have changed all the snort rules (snort, preprocessor and decoder rules)
as you said. but portscan is still performed successfully. it seems snort
can't drop any portscan packet. what is wrong with this configuration?

On Mon, Jun 29, 2009 at 6:49 AM, Joel Esler < <jesler () sourcefire com>
jesler () sourcefire com> wrote:


You have to instruct Snort on what to drop.  The easiest way to do this
is to change the rule you want to drop the traffic from "alert" to "drop" in
the first word of the rule within the individual rule files.
For portscan traffic you would have to use the preprocessor rules.

J

On Sat, Jun 27, 2009 at 7:29 AM, Zeinab Zali < <zeinabzali () gmail com>
zeinabzali () gmail com> wrote:


Hi,
I have compiled snort with --enable-inline mode successfully. I
configure iptables with below commands:
"
modprobe ip_queue
export QUEUE="yes"
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -A OUTPUT -j QUEUE
iptables -A INPUT -j QUEUE
iptables -A FORWARD -j QUEUE
"
Then I changed all the snort alert rules to drop rules.
for testing I run snort with below command:
"snort -c ./etc/snort_inline.conf  -Q  -l /var/log/snort_inline/ -v"
then I try to portscan my computer from another computer with nmap.
Snort generated portscan alert, but I the portscanning procedure with nmap
was done successfully too. I expect snort inline not to allow nmap portscan.
What is the problem?
Thanks in advance,

--
Zeynab Zali


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
 <Snort-users () lists sourceforge net>Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
 <http://www.geocrawler.com/redir-sf.php3?list=snort-users>
http://www.geocrawler.com/redir-sf.php3?list=snort-users





--
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974





--
Zeynab Zali





--
Zeynab Zali


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: