Snort mailing list archives
Re: Unable to run Snort in IPS mode
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 24 Feb 2010 12:14:48 -0500
Hmmm ... if Snort isn't starting with "reject" or "sdrop" rules then maybe it wasn't actually built with --enable-inline. Can you post the configure statement at the top of your config.log and the output from snort -V? On Wed, Feb 24, 2010 at 10:16 AM, Sharma, Ashish <ashish.sharma3 () hp com>wrote:
Seth, Since I am testing on a Single machine on LAN, I replicated my Snort setup on a non virtual machine of Fedora 10, there too the problem persists. Packets are not getting dropped just 'console' outputs are generated. Also snort doesn't start with local rules of 'reject' or 'sdrop' kind. I have followed this for reference: 'http://openmaniak.com/inline_final.php' Please help!!!! Ashish Sharma -----Original Message----- From: Seth Art [mailto:sethsec () gmail com] Sent: Tuesday, February 23, 2010 8:45 PM To: Sharma, Ashish Cc: Nigel Houghton; Snort Users List Subject: Re: [Snort-users] Unable to run Snort in IPS mode Is the virtual snort actually inline, or is it dropping a COPY of the traffic? You can test this with some iptables rules. Block the traffic with some FW rules on the snort box and see if the traffic STILL gets to the destination. -Seth On Tue, Feb 23, 2010 at 9:29 AM, Sharma, Ashish <ashish.sharma3 () hp com> wrote:Nigel, No success :( My machine is Fedora Core 10 virtual machine, running on sun virtual Box. My rules in 'local.rules' are as: 'drop tcp any any -> 16.150.17.4 80 (msg: "Test webactivity";sid:1000001;)drop icmp any any -> 16.150.17.4 any (msg: "Test pingactivity";sid:1000002;)'I am running 'snort' by this command: 'snort -k none -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l/var/log/snort'Console output is as: ' 02/23-19:57:13.288720 [Drop] [**] [1:1000001:0] Test web activity [**][Priority: 0] {TCP} 16.213.0.37:13530 -> 16.150.17.4:8002/23-19:57:13.288812 [Drop] [**] [1:1000001:0] Test web activity [**][Priority: 0] {TCP} 16.213.0.37:13402 -> 16.150.17.4:8002/23-19:57:47.034571 [Drop] [**] [1:1000002:0] Test ping activity [**][Priority: 0] {ICMP} 16.150.18.130 -> 16.150.17.4'Put packets are not getting dropped and replies to above request arebeing received successfully. This should not happen :( right.With regards Ashish Sharma -----Original Message----- From: Nigel Houghton [mailto:nhoughton () sourcefire com] Sent: Tuesday, February 23, 2010 7:00 PM To: Sharma, Ashish Cc: Snort Users List Subject: Re: [Snort-users] Unable to run Snort in IPS mode On Tue, Feb 23, 2010 at 2:15 AM, Sharma, Ashish <ashish.sharma3 () hp com>wrote:Nigel, No success with your suggested idea. Attached is my 'local.rules' file. My uncommented rule is as: 'drop tcp any any -> 16.150.17.4 80 (msg: "Test webactivity";sid:1000001;)'I launch my 'snort' with the following command: 'snort -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l/var/log/snort'Now whenever I try to access a web page hosted on a web server on thesame machine (on which snort is hosted), I get following kind of console output:' 02/23-12:28:04.537751 [Drop] [**] [1:1000001:0] Test web activity[**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:8002/23-12:28:04.538713 [Drop] [**] [1:1000001:0] Test web activity [**][Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:8002/23-12:28:04.935699 [Drop] [**] [1:1000001:0] Test web activity [**][Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:8002/23-12:28:05.263633 [Drop] [**] [1:1000001:0] Test web activity [**][Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80'Here I am able to access my web page from any other foreign machine, butthis should not happen with 'Drop' rule of this kind , I should not be able to access my web page in first place when snort is running in 'inline' mode.Moreover I had to comment other 'reject' and 'sdrop' rules since 'snort'fails to identify them (Please look into my first message for console output for this error).Thanks Ashish Sharma -----Original Message----- From: Nigel Houghton [mailto:nhoughton () sourcefire com] Sent: Monday, February 22, 2010 9:16 PM To: Sharma, Ashish Cc: Snort Users List Subject: Re: [Snort-users] Unable to run Snort in IPS mode On Mon, Feb 22, 2010 at 9:22 AM, Sharma, Ashish <ashish.sharma3 () hp com>wrote:Nigel, One of my drop rules in 'local.rules' is of following type: 'drop icmp any any -> xxx.xxx.xxx.xxx any (msg: "Test pingactivity";sid:1000002;)'Here my intention is to drop any packet that is received for ICMP pingactivity, but actually when I run my 'snort',And 'Ping' on the destination machine only alerts are logged and Ireceive the response of my 'Ping' command too.But I expect this should not happen with 'drop' rule, no responseshould be received for this case.Thanks Ashish Sharma -----Original Message----- From: Nigel Houghton [mailto:nhoughton () sourcefire com] Sent: Monday, February 22, 2010 7:42 PM To: Sharma, Ashish Cc: Snort Users List Subject: Re: [Snort-users] Unable to run Snort in IPS mode On Mon, Feb 22, 2010 at 8:37 AM, Sharma, Ashish <ashish.sharma3 () hp com>wrote:Rmkml, Please find attached my 'local.rules' file. Thanks Ashish Sharma -----Original Message----- From: rmkml [mailto:rmkml () free fr] Sent: Monday, February 22, 2010 6:49 PM To: Sharma, Ashish Cc: rmkml () free fr Subject: RE: [Snort-users] Unable to run Snort in IPS mode ok thx you Sharma, could you send local.rules please? Regards Rmkml On Mon, 22 Feb 2010, Sharma, Ashish wrote:Rmkml, First of all thanks for helping. I don't think there is any problem with command formatting or'RULE_PATH' variable error.Reason being that when I comment out the 'reject' and 'sdrop' rulesfrom 'local.rules' file and only 'drop' rules are there, then 'Snort' is able to run fine and alerts are generated and logged.For your reference my 'Snort.conf' is attached. Thanks for helping again. Ashish Sharma -----Original Message----- From: rmkml [mailto:rmkml () free fr] Sent: Monday, February 22, 2010 5:15 PM To: Sharma, Ashish Cc: rmkml () free fr Subject: Re: [Snort-users] Unable to run Snort in IPS mode Hi Sharma, you start snort with cmd line: 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l/var/log/snort'please remove space like ... -c /etc/snort/snort.conf ... on your snort.conf, what is RULE_PATH variable contains please? orsendsnort.conf... Regards Rmkml On Mon, 22 Feb 2010, Sharma, Ashish wrote:Hi, I have a fedora core 10 virtual machine running on a sun virtualbox.I am trying to run Snort on this machine in IPS mode. I followed the following steps (I had already installed theprerequisites for Snort IPS):1. Downloaded 'snort-2.8.5.2.tar.gz' 2. Extracted the binaries. 3. did './configure --enable-inline' 4. did 'make' 5. did 'make install' 6. copied snort rules and snort conf at appropriate location. 7. executed the following command : 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l/var/log/snort'8. Snort launches with the traces : Enabling inline operation Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! .................................. Initializing rule chains... ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type:reject.Fatal Error, Quitting.. 8. As you can see I have a test rule in local.rule that have a'reject' rule in it but snort is not accepting it, same is the case for 'sdrop' rule also.9. What is the problem , please help!!!!! What should I do in all to let my Snort run in IPS mode Thanks in advance Ashish Sharma------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersYou have compiled Snort with --enable-inline. Your snort.conf looks fine. The rules you have need to use the "drop" keyword instead of "alert" so that they will drop the traffic in inline mode. So your two rules would become: drop tcp any any -> 16.150.17.4 25 (msg: "Test activity"; sid:1000003;) drop tcp any any -> 16.150.17.4 3310 (msg: "Test activity";sid:1000004;)-- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://labs.snort.org/Your drop rule is commented out, so it is not active. Please try what I told you to try and report back. Thanks. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://labs.snort.org/Now we are getting somewhere. Since your snort installation is on the same machine you are sending packets to, try adding the "-k none" option to the command line. See if that fixes your problem and report back. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://labs.snort.org/------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Unable to run Snort in IPS mode, (continued)
- Message not available
- Re: Unable to run Snort in IPS mode Sharma, Ashish (Feb 22)
- Re: Unable to run Snort in IPS mode Joel Esler (Feb 22)
- Re: Unable to run Snort in IPS mode Nigel Houghton (Feb 22)
- Re: Unable to run Snort in IPS mode Sharma, Ashish (Feb 22)
- Re: Unable to run Snort in IPS mode Nigel Houghton (Feb 22)
- Re: Unable to run Snort in IPS mode Sharma, Ashish (Feb 22)
- Re: Unable to run Snort in IPS mode Nigel Houghton (Feb 23)
- Re: Unable to run Snort in IPS mode Sharma, Ashish (Feb 23)
- Re: Unable to run Snort in IPS mode Seth Art (Feb 23)
- Re: Unable to run Snort in IPS mode Sharma, Ashish (Feb 24)
- Re: Unable to run Snort in IPS mode Russ Combs (Feb 24)
- Re: Unable to run Snort in IPS mode Sharma, Ashish (Feb 24)
- Re: Unable to run Snort in IPS mode Russ Combs (Feb 25)
- Re: Unable to run Snort in IPS mode Sharma, Ashish (Feb 25)
- Re: Unable to run Snort in IPS mode Russ Combs (Feb 25)
- Re: Unable to run Snort in IPS mode Sharma, Ashish (Feb 26)