Snort mailing list archives
Help with inline setup
From: Andrea Cerrito <is () gentestrana net>
Date: Wed, 25 Apr 2012 21:22:31 +0200
Hi list, I'm trying to deploy Snort as an active IDS for a web application running under https. To accomplish this, in my test machine I've setup this scenario: Linux box with 2 ethernet interfaces: eth0 public ip eth1 private ip On eth0 i'm running Apache as a reverse-proxy to convert the incoming traffic to http instead https. The redirect is running from the public ip to the private ip. On eth1 I'm running Apache with the real web application. This part is working fine. The application is running without problems. On the same machine, I'm try to run Snort to catch the traffic. The alarms are working fine: I've tested some custom rules and they are ok. The problem is when I'd like to drop packet: this is just not working. Sniffing traffic, I've seen the http traffic to inspect running just on lo :-| Due to this, this is my firewall setup for snort: iptables -I INPUT -i lo -j NFQUEUE iptables -A OUTPUT -o lo -j NFQUEUE And it's working, because without running Snort, I cannot use the web application. Running snort, it permits to access the web application: snort -c snort.conf --daq nfq --daq-mode inline --daq-var device=lo -A full The rule I'm testing is this one: alert tcp any any -> any 80 (msg:" TEST OK! "; sid:1000000; rev:1;) And the alert is triggered without problem: [**] [1:1000000:1] TEST OK! [**] [Priority: 0] 04/25-21:18:15.809531 INTERNAL_IP:59174 -> INTERNAL_IP:80 TCP TTL:64 TOS:0x0 ID:60074 IpLen:20 DgmLen:52 DF ***A***F Seq: 0xEDA2396B Ack: 0xF38AE448 Win: 0x181 TcpLen: 32 TCP Options (3) => NOP NOP TS: 1039782 1039519 If i modify the rule from alert to drop or block, nothing happens. Any clue? Thanks Andrea Cerrito ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Help with inline setup Andrea Cerrito (Apr 25)
- Re: Help with inline setup Simon Blixt (Apr 26)
- Re: Help with inline setup Andrea Cerrito (Apr 26)
- Re: Help with inline setup Simon Blixt (Apr 26)