Snort mailing list archives
Snort with NFQUEUE allows everything (even unopened ports)
From: Amm Snort <ammdispose-snort () yahoo com>
Date: Sat, 31 Mar 2012 02:29:26 +0800 (SGT)
Hello all, I have setup snort with DAQ NFQUEUE. My problem is inspite of firewall rule to block all ports, system starts allowing ALL THE PORTS. Without SNORT/NFQUEUE, blocking happens perfectly fine. So either I am making a STUPID mistake (I hope so) otherwise there is a serious SECURITY issue. System: Fedora 16 (64 bit) Snort version 2.9.2.2 (compiled from src rpm at http://www.snort.org/snort-downloads) Daq version 0.6.2 (compiled from src rpm at http://www.snort.org/snort-downloads with NFQ enabled) snort.conf summary: #monitor connection to LAN and DSL IP (dynamic) ipvar HOME_NET [192.168.1.0/24,1.2.0.0/16] config daq: nfq config daq_mode: inline config daq_dir: /usr/lib64/daq Command line: snort -A fast -b -d -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort (no interface specified, -Q not needed as config daq_mode set to inline) Rule File: (just one rule for testing) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) IPTABLES: iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE iptables -I OUTPUT 1 -p tcp -o ppp1 -j NFQUEUE (rule triggers alert on sending "EHLO hydra" - hence setup seems to be running fine) Now THE SERIOUS PROBLEM: As shown below, my iptables INPUT chain allows connection ONLY on port 22. 1) iptables -nvL INPUT (on snort system) Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 274 146K NFQUEUE tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 0 0 ACCEPT tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 17344 816K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 2) telnet 1.2.3.4 25 (from some remote machine) Trying to connect to port 25 of SNORT machine from some remote machine. Trying 1.2.3.4... Connected to XXXXX. Escape character is '^]'. 220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:17:42 +0530 >>>> How did it connect to port 25??? ehlo hydra.... 3) tail -1 /var/log/snort/alert 03/30-23:17:46.056165 [**] [1:100000167:1] GPL SMTP SMTP Hydra Activity Detected [**] [Classification: Misc Attack] [Priority: 2] {TCP} 2.2.2.2:35256 -> 1.2.3.4:25 (which means snort detected the hydra activity as expected) 4) iptables -D INPUT 1 -p tcp -i ppp1 -j NFQUEUE Delete the NFQUEUE rule. i.e. disable SNORT inspection 5) telnet 1.2.3.4 25 (try again) Trying 1.2.3.4 ... telnet: connect to address 1.2.3.4: No route to host
Blocked (packet rejected) just as expected after removing snort NFQUEUE rule
6) Add rule again with one additional DROP rule for port 25 iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE iptables -I INPUT 2 -p tcp -i ppp1 --dport 25 -j DROP a) iptables -nvL INPUT pkts bytes target prot opt in out source destination 29 3660 NFQUEUE tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 0 0 DROP tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 Now try to connect again: telnet 1.2.3.4 25 Trying 1.2.3.4... Connected to XXXXX. Escape character is '^]'. 220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:32:17 +0530
WHAT?!! Started accepting connection again!!!!
b) iptables -nvL INPUT pkts bytes target prot opt in out source destination 72 7982 NFQUEUE tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 0 0 DROP tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
Notice that DROP counter has not increased at all, which means Snort/NFQUEUE is ALLOWING the packet instead of proceeding to next rule (which is DROP rule)
c) Port Scan nmap -n 1.2.3.4 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (1.2.3.4): (The 1590 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open sunrpc 135/tcp filtered loc-srv 137/tcp filtered netbios-ns 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 3128/tcp open squid-http
EVERYTHING is OPEN!!!
d) Delete NFQUEUE rule and try to connect again: iptables -D INPUT -p tcp -i ppp1 -j NFQUEUE telnet 1.2.3.4 25 Trying 1.2.3.4... Nothing happens due to DROP rule (as expected) d) iptables -nvL INPUT (check packet COUNTER) pkts bytes target prot opt in out source destination 2 120 DROP tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
DROP Counter increased once the NFQUEUE rule is deleted
So inshort NFQUEUE or Snort is ALLOWING the packet directly instead of letting it pass to next iptables rule. Is there something I missed or there is really something wrong with SNORT/NFQUEUE? Please correct me. Thank you, Amm
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Russ Combs (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Jaime Nebrera (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Jaime Nebrera (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Russ Combs (Mar 30)