Snort mailing list archives
Re: Snort with NFQUEUE allows everything (even unopened ports)
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 3 Apr 2012 10:13:14 -0400
I see you made progress but wanted to clarify something below. Also, if the NFQ DAQ returned an NF_QUEUE verdict instead of NF_ACCEPT would that solve your problem? On Fri, Mar 30, 2012 at 11:47 PM, Amm Snort <ammdispose-snort () yahoo com>wrote:
"config daq_mode: inline" implies -Q, doesnt it?
No - but -Q does imply the DAQ will be inline.
Log shows "nfq DAQ configured to inline." With as well as without -Q
DAQ mode and Snort mode are two different things.
Snort shows "hydra" alert is proof enough that inline mode is working. But, anyway, I tried with -Q as well .... same result.. packet does not reach DROP rule and gets ACCEPTed. Converted "alert" rule to "drop" but same result, PORT still becomes OPEN inspite of iptables DROP following iptables NFQUEUE rule. (ofcourse typing "EHLO hydra" drops that packet as expected but my point is I was able to establish connection to port 25 which should not have happened at first place) Also conversion of "alert" rule to "drop" is not a solution, because I may not want to drop everything, sometimes I may just want an alert to be logged. I am on kernel 3.3 by the way (latest Fedora update), in case it helps in identifying the problem. Thank you, Amish ------------------------------ *From:* Russ Combs <rcombs () sourcefire com> *To:* Amm Snort <ammdispose-snort () yahoo com> *Cc:* "snort-users () lists sourceforge net" < snort-users () lists sourceforge net> *Sent:* Saturday, 31 March 2012 12:18 AM *Subject:* Re: [Snort-users] Snort with NFQUEUE allows everything (even unopened ports) Try using a drop rule instead of alert. And the DAQ mode and Snort mode aren't the same thing. Try adding -Q too. On Fri, Mar 30, 2012 at 2:29 PM, Amm Snort <ammdispose-snort () yahoo com>wrote: Hello all, I have setup snort with DAQ NFQUEUE. My problem is inspite of firewall rule to block all ports, system starts allowing ALL THE PORTS. Without SNORT/NFQUEUE, blocking happens perfectly fine. So either I am making a STUPID mistake (I hope so) otherwise there is a serious SECURITY issue. System: Fedora 16 (64 bit) Snort version 2.9.2.2 (compiled from src rpm at http://www.snort.org/snort-downloads) Daq version 0.6.2 (compiled from src rpm at http://www.snort.org/snort-downloads with NFQ enabled) snort.conf summary: #monitor connection to LAN and DSL IP (dynamic) ipvar HOME_NET [192.168.1.0/24,1.2.0.0/16] config daq: nfq config daq_mode: inline config daq_dir: /usr/lib64/daq Command line: snort -A fast -b -d -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort (no interface specified, -Q not needed as config daq_mode set to inline) Rule File: (just one rule for testing) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url, www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) IPTABLES: iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE iptables -I OUTPUT 1 -p tcp -o ppp1 -j NFQUEUE (rule triggers alert on sending "EHLO hydra" - hence setup seems to be running fine) Now THE SERIOUS PROBLEM: As shown below, my iptables INPUT chain allows connection ONLY on port 22. 1) iptables -nvL INPUT (on snort system) Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 274 146K NFQUEUE tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 0 0 ACCEPT tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 17344 816K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 2) telnet 1.2.3.4 25 (from some remote machine) Trying to connect to port 25 of SNORT machine from some remote machine. Trying 1.2.3.4... Connected to XXXXX. Escape character is '^]'. 220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:17:42 +0530 >>>> How did it connect to port 25??? ehlo hydra .... 3) tail -1 /var/log/snort/alert 03/30-23:17:46.056165 [**] [1:100000167:1] GPL SMTP SMTP Hydra Activity Detected [**] [Classification: Misc Attack] [Priority: 2] {TCP} 2.2.2.2:35256 -> 1.2.3.4:25 (which means snort detected the hydra activity as expected) 4) iptables -D INPUT 1 -p tcp -i ppp1 -j NFQUEUE Delete the NFQUEUE rule. i.e. disable SNORT inspection 5) telnet 1.2.3.4 25 (try again) Trying 1.2.3.4 ... telnet: connect to address 1.2.3.4: No route to hostBlocked (packet rejected) just as expected after removing snortNFQUEUE rule 6) Add rule again with one additional DROP rule for port 25 iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE iptables -I INPUT 2 -p tcp -i ppp1 --dport 25 -j DROP a) iptables -nvL INPUT pkts bytes target prot opt in out source destination 29 3660 NFQUEUE tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 0 0 DROP tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 Now try to connect again: telnet 1.2.3.4 25 Trying 1.2.3.4... Connected to XXXXX. Escape character is '^]'. 220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:32:17 +0530WHAT?!! Started accepting connection again!!!!b) iptables -nvL INPUT pkts bytes target prot opt in out source destination 72 7982 NFQUEUE tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 0 0 0 DROP tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25Notice that DROP counter has not increased at all, which meansSnort/NFQUEUE is ALLOWING the packet instead of proceeding to next rule (which is DROP rule) c) Port Scan nmap -n 1.2.3.4 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (1.2.3.4): (The 1590 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 111/tcp open sunrpc 135/tcp filtered loc-srv 137/tcp filtered netbios-ns 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 3128/tcp open squid-httpEVERYTHING is OPEN!!!d) Delete NFQUEUE rule and try to connect again: iptables -D INPUT -p tcp -i ppp1 -j NFQUEUE telnet 1.2.3.4 25 Trying 1.2.3.4... Nothing happens due to DROP rule (as expected) d) iptables -nvL INPUT (check packet COUNTER) pkts bytes target prot opt in out source destination 2 120 DROP tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25DROP Counter increased once the NFQUEUE rule is deletedSo inshort NFQUEUE or Snort is ALLOWING the packet directly instead of letting it pass to next iptables rule. Is there something I missed or there is really something wrong with SNORT/NFQUEUE? Please correct me. Thank you, Amm ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort with NFQUEUE allows everything (even unopened ports) Russ Combs (Apr 03)