Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort with NFQUEUE allows everything (even unopened ports)

From: Jaime Nebrera <jnebrera () gmail com>
Date: Sat, 31 Mar 2012 14:51:12 +0200
I Amm,

You are not missing anything and netfilter is working as expected

Your rule states put all traffic into the queue. Unless further on the
traffic is dropped it will go on.

If you want to do this for a particular port you have to state so explicit

Enviado desde mi iPhone

El 31/03/2012, a las 13:51, Amm Snort <ammdispose-snort () yahoo com> escribió:

Further to dig in to this, I  downloaded a nfq test sample code found at:
http://netfilter.org/projects/libnetfilter_queue/doxygen/nfqnl__test_8c_source.html

Which simply runs queue 0 and prints info about packets captured on that
queue.

I compiled it and ran it.

First iptable rule
iptables -I INPUT -i ppp1 -j DROP # drop everything


telnet to port 25 from remote host does not work as expected


Now add NFQUEUE
iptables -I INPUT -i ppp1 -j NFQUEUE # add a queue


To my surprise, even this TEST program OPENED ALL THE PORTS.


Even portscan shows port 22, 80, 3128 all open.



I wonder if there is bug in libnetfilter_queue (of kernel 3.3)??

Is it considering VERDICT OF ACCEPT as iptables ACCEPT?

Or AM I REALLY MISSING SOMETHING?

Amm

  ------------------------------
*From:* Amm Snort <ammdispose-snort () yahoo com>
*To:* Russ Combs <rcombs () sourcefire com>
*Cc:* "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>

*Sent:* Saturday, 31 March 2012 9:17 AM
*Subject:* Re: [Snort-users] Snort with NFQUEUE allows everything (even
unopened ports)

"config daq_mode: inline" implies -Q, doesnt it?

Log shows "nfq DAQ configured to inline."
With as well as without -Q

Snort shows "hydra" alert is proof enough that inline mode is working.

But, anyway, I tried with -Q as well .... same result.. packet does not
reach DROP rule and gets ACCEPTed.


Converted "alert" rule to "drop" but same result, PORT still becomes OPEN
inspite of iptables DROP following iptables NFQUEUE rule.

(ofcourse typing "EHLO hydra" drops that packet as expected but my point is
I was able to establish connection to port 25 which should not have
happened at first place)

Also conversion of "alert" rule to "drop" is not a solution, because I may
not want to drop everything, sometimes I may just want an alert to be
logged.

I am on kernel 3.3 by the way (latest Fedora update), in case it helps in
identifying the problem.

Thank you,

Amm

  ------------------------------
*From:* Russ Combs <rcombs () sourcefire com>
*To:* Amm Snort <ammdispose-snort () yahoo com>
*Cc:* "snort-users () lists sourceforge net" <snort-users () lists sourceforge net>

*Sent:* Saturday, 31 March 2012 12:18 AM
*Subject:* Re: [Snort-users] Snort with NFQUEUE allows everything (even
unopened ports)

Try using a drop rule instead of alert.  And the DAQ mode and Snort mode
aren't the same thing.  Try adding -Q too.

On Fri, Mar 30, 2012 at 2:29 PM, Amm Snort <ammdispose-snort () yahoo com>wrote:

Hello all,

I have setup snort with DAQ NFQUEUE.

My problem is inspite of firewall rule to block all ports, system starts
allowing ALL THE PORTS.

Without SNORT/NFQUEUE, blocking happens perfectly fine.

So either I am making a STUPID mistake (I hope so) otherwise there is a
serious SECURITY issue.

System:
Fedora 16 (64 bit)
Snort version 2.9.2.2 (compiled from src rpm at
http://www.snort.org/snort-downloads)
Daq version 0.6.2 (compiled from src rpm at
http://www.snort.org/snort-downloads with NFQ enabled)

snort.conf summary:

#monitor connection to LAN and DSL IP (dynamic)
ipvar HOME_NET [192.168.1.0/24,1.2.0.0/16]

config daq: nfq
config daq_mode: inline
config daq_dir: /usr/lib64/daq

Command line:

snort  -A fast -b -d -u snort -g snort -c /etc/snort/snort.conf -l
/var/log/snort

(no interface specified, -Q not needed as config daq_mode set to inline)

Rule File: (just one rule for testing)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP Hydra
Activity Detected"; flow:to_server,established; content:"hydra"; nocase;
pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,
www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;)

IPTABLES:

iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
iptables -I OUTPUT 1 -p tcp -o ppp1 -j NFQUEUE

(rule triggers alert on sending "EHLO hydra" - hence setup seems to be
running fine)


Now THE SERIOUS PROBLEM:

As shown below, my iptables INPUT chain allows connection ONLY on port 22.

1) iptables -nvL INPUT (on snort system)

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
  274  146K NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0
0.0.0.0/0            NFQUEUE num 0
    0     0 ACCEPT     tcp  --  ppp1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:22
17344  816K REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            reject-with icmp-host-prohibited

2) telnet 1.2.3.4 25 (from some remote machine)

Trying to connect to port 25 of SNORT machine from some remote machine.

Trying 1.2.3.4...
Connected to XXXXX.
Escape character is '^]'.
220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:17:42 +0530

How did it connect to port 25???

ehlo hydra
....

3) tail -1 /var/log/snort/alert

03/30-23:17:46.056165  [**] [1:100000167:1] GPL SMTP SMTP Hydra Activity
Detected [**] [Classification: Misc Attack] [Priority: 2] {TCP}
2.2.2.2:35256 -> 1.2.3.4:25

(which means snort detected the hydra activity as expected)

4) iptables -D INPUT 1 -p tcp -i ppp1 -j NFQUEUE

Delete the NFQUEUE rule. i.e. disable SNORT inspection

5) telnet 1.2.3.4 25 (try again)

Trying 1.2.3.4 ...
telnet: connect to address 1.2.3.4: No route to host


Blocked (packet rejected) just as expected after removing snort NFQUEUE

rule

6) Add rule again with one additional DROP rule for port 25

iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
iptables -I INPUT 2 -p tcp -i ppp1 --dport 25 -j DROP

a) iptables -nvL INPUT

 pkts bytes target     prot opt in     out     source
destination
   29  3660 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0
0.0.0.0/0            NFQUEUE num 0
    0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:25

Now try to connect again:

telnet 1.2.3.4 25
Trying 1.2.3.4...
Connected to XXXXX.
Escape character is '^]'.
220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:32:17 +0530


WHAT?!! Started accepting connection again!!!!


b) iptables -nvL INPUT

  pkts bytes target     prot opt in     out     source
destination
   72  7982 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0
0.0.0.0/0            NFQUEUE num 0
    0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:25


Notice that DROP counter has not increased at all, which means

Snort/NFQUEUE is ALLOWING the packet instead of proceeding to next rule
(which is DROP rule)

c) Port Scan

 nmap -n 1.2.3.4

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on  (1.2.3.4):
(The 1590 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
25/tcp     open        smtp
80/tcp     open        http
111/tcp    open        sunrpc
135/tcp    filtered    loc-srv
137/tcp    filtered    netbios-ns
139/tcp    filtered    netbios-ssn
443/tcp    open        https
445/tcp    filtered    microsoft-ds
3128/tcp   open        squid-http


EVERYTHING is OPEN!!!


d) Delete NFQUEUE rule and try to connect again:

iptables -D INPUT -p tcp -i ppp1  -j NFQUEUE

telnet 1.2.3.4 25
 Trying 1.2.3.4...

Nothing happens due to DROP rule (as expected)


d) iptables -nvL INPUT (check packet COUNTER)

 pkts bytes target     prot opt in     out     source
destination
    2   120 DROP       tcp  --  ppp1   *       0.0.0.0/0
0.0.0.0/0            tcp dpt:25


DROP Counter increased once the NFQUEUE rule is deleted




So inshort NFQUEUE or Snort is ALLOWING the packet directly instead of
letting it pass to next iptables rule.

Is there something I missed or there is really something wrong with
SNORT/NFQUEUE?


Please correct me.

Thank you,


Amm

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!







------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: