Snort mailing list archives
Re: snort inline mode is not working with iptables
From: Wael <netchildccie () hotmail com>
Date: Sat, 07 Aug 2010 19:39:20 +0300
Hello everyone, Any clues or hint to help me. I rebuilt the same setup over another linux server with no much of luck. I've got the same exact result. Please noted, that I am using two machines to test snort functionality before put it in production. One linux server has snort on it, and the second is just to perform ping command to snort server. Regards, Wael, On 8/6/10 10:55 PM, "Will Metcalf" <william.metcalf () gmail com> wrote:
Ahh ok... Thanks for the clarification Russ. Regards, Will On Fri, Aug 6, 2010 at 2:51 PM, Russ Combs <rcombs () sourcefire com> wrote:On Fri, Aug 6, 2010 at 3:36 PM, Will Metcalf <william.metcalf () gmail com> wrote:Yes I understand... Not sure if it matters but did you remove the "-i eth1" from the command line? Not sure how this is handled now in snort, if this is valid for use with -Q or if it is just using one runmode over the other.The -i is parsed but not used to control the mode in this case. So it is running inline.Regards, Will On Fri, Aug 6, 2010 at 2:27 PM, netchild ccie <netchildccie () hotmail com> wrote:Hi William, I've the traffic on that interface IN/OUT and even with both chain IN/OUT jump to QUEUE didn't work. The behavior I'm getting is that all the traffic for the rule -jQUEUEis being dropped as if the packets are not being handled by snort(defaultbehavior for -j QUEUE if no application is handling the traffic). Regards, WaelDate: Fri, 6 Aug 2010 14:03:30 -0500 Subject: Re: [Snort-users] snort inline mode is not working with iptables From: william.metcalf () gmail com To: netchildccie () hotmail com CC: snort-users () lists sourceforge net; hat_gh () yahoo com lose the -i eth1... Also for traffic in/out of the local ip stackfortcp traffic you need to make sure that snort sees both sides of the conversation. i.e. iptables -I INPUT -p tcp --sport 80 -j QUEUE iptables -I OUTPUT -p tcp --dport 80 -j QUEUE Regards, Will On Fri, Aug 6, 2010 at 1:41 PM, netchild ccie <netchildccie () hotmail com> wrote:Dear list, I a new user to Snort and this is my first experience with. My issue is that; it seems the snort does not communicatecorrectlywith iptables. I have a linux machine run SNORT 2.8.6 and connected toLANwith another linux machine. I am using the other machine to ping thesnortserver. every time I am running snort without iptables, the pingisworking and once I am using the iptables then launch snort, the pingstoppedand I received alert messages!!!! I can not understand why snort dropthepackets?! I'll try to summarized my issue in points 1. I've built linux machine with CentOS 4.8 2. I've downloaded snort 2.8.6 from snort website 3. I've compiled the package after I installed successfully libipq and libnet 1.0.2a. I used the following commands ./configure --enable-inline make make install 4. I've built a simple rule under /etc/snort/rules as the belowandnamed "local.rule" alert icmp any any <> any any (msg: "ICMP DROPPED"; sid: 1000001;) 5. I loaded ip_queue model and verify it as below [root@xen1 rules]# modprobe ip_queue [root@xen1 rules]# lsmod | grep queue ip_queue 44777 0 5. I launched iptables before I started snort as below and verify iptables -A OUTPUT -p icmp -j QUEUE [root@xen1 rules]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination QUEUE icmp -- anywhere anywhere 6. I've run snort as below [root@xen1 rules]# snort -k none -c /etc/snort/snort.conf.wael -l /var/log/snort/wael -Q -i eth1 Enabling inline operation Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf.wael" PortVar 'HTTP_PORTS' defined : [ 80 2301 3128 7777 7779 8000 8008 8028 8080 8180 8888 9999 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1521 ] . . . --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.6.1 (Build 39) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 6.6 06-Feb-2006 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.12 <Build 18> 7. Verify through the log Aug 6 21:38:45 xen1 snort: [1:1000001:0] ICMP DROPPED {ICMP} 10.6.211.155 -> 10.6.211.53 Aug 6 21:39:16 xen1 last message repeated 31 times Aug 6 21:40:17 xen1 last message repeated 61 times 8. verify the ping from the ping's screen [root@dana-ser-ns-02 ~]# ping 10.6.211.53 PING 10.6.211.53 (10.6.211.53) 56(84) bytes of data. <nothing> what I have missed?! Regards, Wael,------------------------------------------------------------------------ ------This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------ ------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: snort inline mode is not working with iptables, (continued)
- Re: snort inline mode is not working with iptables Ryan Jordan (Aug 06)
- Re: snort inline mode is not working with iptables Will Metcalf (Aug 06)
- Re: snort inline mode is not working with iptables Ryan Jordan (Aug 06)
- Re: snort inline mode is not working with iptables netchild ccie (Aug 06)
- Re: snort inline mode is not working with iptables Will Metcalf (Aug 06)
- Re: snort inline mode is not working with iptables Ryan Jordan (Aug 06)
- Re: snort inline mode is not working with iptables Will Metcalf (Aug 06)
- Re: snort inline mode is not working with iptables netchild ccie (Aug 06)
- Re: snort inline mode is not working with iptables Will Metcalf (Aug 06)
- Re: snort inline mode is not working with iptables netchild ccie (Aug 06)
- Re: snort inline mode is not working with iptables Russ Combs (Aug 06)
- Re: snort inline mode is not working with iptables Will Metcalf (Aug 06)
- Re: snort inline mode is not working with iptables Wael (Aug 07)
- Re: snort inline mode is not working with iptables Jason Brvenik (Aug 07)
- Re: snort inline mode is not working with iptables Wael (Aug 07)
- Message not available
- Message not available
- Re: snort inline mode is not working with iptables Russ Combs (Aug 07)
- Re: snort inline mode is not working with iptables Hatim Alghamdi (Aug 09)
- Re: snort inline mode is not working with iptables Joel Esler (Aug 09)
- Re: snort inline mode is not working with iptables netchild ccie (Aug 06)