Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unable to run Snort in IPS mode

From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 24 Feb 2010 12:14:48 -0500
Hmmm ... if Snort isn't starting with "reject" or "sdrop" rules then maybe
it wasn't actually built with --enable-inline.

Can you post the configure statement at the top of your config.log and the
output from snort -V?

On Wed, Feb 24, 2010 at 10:16 AM, Sharma, Ashish <ashish.sharma3 () hp com>wrote:


Seth,

Since I am testing on a Single machine on LAN, I replicated my Snort setup
on a non virtual machine of Fedora 10, there too the problem persists.

Packets are not getting dropped just 'console' outputs are generated.

Also snort doesn't start with local rules of 'reject' or 'sdrop' kind.

I have followed this for reference:

'http://openmaniak.com/inline_final.php&apos;

Please help!!!!

Ashish Sharma

-----Original Message-----
From: Seth Art [mailto:sethsec () gmail com]
Sent: Tuesday, February 23, 2010 8:45 PM
To: Sharma, Ashish
Cc: Nigel Houghton; Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

Is the virtual snort actually inline, or is it dropping a COPY of the
traffic?  You can test this with some iptables rules.  Block the
traffic with some FW rules on the snort box and see if the traffic
STILL gets to the destination.

-Seth

On Tue, Feb 23, 2010 at 9:29 AM, Sharma, Ashish <ashish.sharma3 () hp com>
wrote:

Nigel,

No success :(

My machine is Fedora Core 10 virtual machine, running on sun virtual Box.

My rules in 'local.rules' are as:

'drop tcp any any -> 16.150.17.4 80 (msg: "Test web

activity";sid:1000001;)

drop icmp any any -> 16.150.17.4 any (msg: "Test ping

activity";sid:1000002;)'


I am running 'snort' by this command:

'snort -k none -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l

/var/log/snort'


Console output is as:

' 02/23-19:57:13.288720  [Drop] [**] [1:1000001:0] Test web activity [**]

[Priority: 0] {TCP} 16.213.0.37:13530 -> 16.150.17.4:80

02/23-19:57:13.288812  [Drop] [**] [1:1000001:0] Test web activity [**]

[Priority: 0] {TCP} 16.213.0.37:13402 -> 16.150.17.4:80

02/23-19:57:47.034571  [Drop] [**] [1:1000002:0] Test ping activity [**]

[Priority: 0] {ICMP} 16.150.18.130 -> 16.150.17.4'


Put packets are not getting dropped and replies to above request are

being received successfully. This should not happen :( right.


With regards
Ashish Sharma


-----Original Message-----
From: Nigel Houghton [mailto:nhoughton () sourcefire com]
Sent: Tuesday, February 23, 2010 7:00 PM
To: Sharma, Ashish
Cc: Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

On Tue, Feb 23, 2010 at 2:15 AM, Sharma, Ashish <ashish.sharma3 () hp com>

wrote:

Nigel,

No success with your suggested idea.

Attached is my 'local.rules' file.

My uncommented rule is as:
'drop tcp any any -> 16.150.17.4 80 (msg: "Test web

activity";sid:1000001;)'


I launch my 'snort' with the following command:

'snort -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l

/var/log/snort'


Now whenever I try to access a web page hosted on a web server on the

same machine (on which snort is hosted), I get following kind of console
output:


' 02/23-12:28:04.537751  [Drop] [**] [1:1000001:0] Test web activity

[**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80

02/23-12:28:04.538713  [Drop] [**] [1:1000001:0] Test web activity [**]

[Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80

02/23-12:28:04.935699  [Drop] [**] [1:1000001:0] Test web activity [**]

[Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80

02/23-12:28:05.263633  [Drop] [**] [1:1000001:0] Test web activity [**]

[Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80'


Here I am able to access my web page from any other foreign machine, but

this should not happen with 'Drop' rule of this kind , I should not be able
to access my web page in first place when snort is running in 'inline' mode.


Moreover I had to comment other 'reject' and 'sdrop' rules since 'snort'

fails to identify them (Please look into my first message for console output
for this error).


Thanks
Ashish Sharma


-----Original Message-----
From: Nigel Houghton [mailto:nhoughton () sourcefire com]
Sent: Monday, February 22, 2010 9:16 PM
To: Sharma, Ashish
Cc: Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

On Mon, Feb 22, 2010 at 9:22 AM, Sharma, Ashish <ashish.sharma3 () hp com>

wrote:

Nigel,

One of my drop rules in 'local.rules' is of following type:
'drop icmp any any -> xxx.xxx.xxx.xxx any (msg: "Test ping

activity";sid:1000002;)'


Here my intention is to drop any packet that is received for ICMP ping

activity, but actually when I run my 'snort',

And 'Ping' on the destination machine only alerts are logged and I

receive the response of my 'Ping' command too.


But I expect this should not happen with 'drop' rule, no response

should be received for this case.


Thanks
Ashish Sharma

-----Original Message-----
From: Nigel Houghton [mailto:nhoughton () sourcefire com]
Sent: Monday, February 22, 2010 7:42 PM
To: Sharma, Ashish
Cc: Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

On Mon, Feb 22, 2010 at 8:37 AM, Sharma, Ashish <ashish.sharma3 () hp com>

wrote:

Rmkml,

Please find attached my 'local.rules' file.

Thanks
Ashish Sharma

-----Original Message-----
From: rmkml [mailto:rmkml () free fr]
Sent: Monday, February 22, 2010 6:49 PM
To: Sharma, Ashish
Cc: rmkml () free fr
Subject: RE: [Snort-users] Unable to run Snort in IPS mode

ok thx you Sharma,
could you send local.rules please?
Regards
Rmkml


On Mon, 22 Feb 2010, Sharma, Ashish wrote:


Rmkml,

First of all thanks for helping.

I don't think there is any problem with command formatting or

'RULE_PATH' variable error.


Reason being that when I comment out the 'reject' and 'sdrop' rules

from 'local.rules' file and only 'drop' rules are there, then 'Snort' is
able to run fine and alerts are generated and logged.


For your reference my 'Snort.conf' is attached.

Thanks for helping again.

Ashish Sharma

-----Original Message-----
From: rmkml [mailto:rmkml () free fr]
Sent: Monday, February 22, 2010 5:15 PM
To: Sharma, Ashish
Cc: rmkml () free fr
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

Hi Sharma,
you start snort with cmd line:
 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l

/var/log/snort'

please remove space like ... -c /etc/snort/snort.conf ...
on your snort.conf, what is RULE_PATH variable contains please? or

send

snort.conf...
Regards
Rmkml


On Mon, 22 Feb 2010, Sharma, Ashish wrote:


Hi,

I have a fedora core 10 virtual machine running on a sun virtual

box.


I am trying to run Snort on this machine in IPS mode.

I followed the following steps (I had already installed the

prerequisites for Snort IPS):


1. Downloaded 'snort-2.8.5.2.tar.gz'
2. Extracted the binaries.
3. did './configure --enable-inline'
4. did 'make'
5. did 'make install'
6. copied snort rules and snort conf at appropriate location.
7. executed the following command :
'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l

/var/log/snort'

8. Snort launches with the traces :

Enabling inline operation
Running in IDS mode

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
..................................

Initializing rule chains...
ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type:

reject.

Fatal Error, Quitting..

8. As you can see I have a test rule in local.rule that have a

'reject' rule in it but snort is not accepting it, same is the case for
'sdrop' rule also.


9. What is the problem , please help!!!!!

What should I do in all to let my Snort run in IPS mode

Thanks in advance

Ashish Sharma







------------------------------------------------------------------------------

Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




You have compiled Snort with --enable-inline. Your snort.conf looks
fine. The rules you have need to use the "drop" keyword instead of
"alert" so that they will drop the traffic in inline mode.

So your two rules would become:

drop tcp any any -> 16.150.17.4 25 (msg: "Test activity"; sid:1000003;)
drop tcp any any -> 16.150.17.4 3310 (msg: "Test activity";

sid:1000004;)


--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/




Your drop rule is commented out, so it is not active. Please try what
I told you to try and report back. Thanks.

--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/




Now we are getting somewhere. Since your snort installation is on the
same machine you are sending packets to, try adding the "-k none"
option to the command line. See if that fixes your problem and report
back.

--
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/



------------------------------------------------------------------------------

Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: