Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Some Snort beginner questions

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 05 Nov 2014 10:39:18 -0700
On 2014-11-05 09:55, Jim Garrison wrote:

On 10/31/2014 5:40 PM, James Lay wrote:

On Sat, 2014-11-01 at 00:26 +0000, Joel Esler (jesler) wrote:

You can put all your deny statements in iptables before you put 
your queue statements.

--
Joel Esler
iPhone


On Oct 31, 2014, at 17:40, Jim Garrison <jhg () jhmg net 

<mailto:jhg () jhmg net>> wrote:


I have a Centos 6.5 web server configured with a very restrictive

[snip]


Also keep in mind that any iptables rules AFTER your snort QUEUE 
rule
are NOT applied.  As soon as a packet hits the snort QUEUE rule the
packet is either a) flagged by snort and dropped, or b) passed up 
the
stack as allowed.


I guess I'm still too new to Snort to fully understand how to do 
this.

I am running Snort and iptables on a single machine, filtering 
incoming
traffic to that one machine, and eventually wanting to run Snort as
an IPS for that single machine.  The iptables configuration has been
stable for years and I'd rather not change it too much.

What I want to do is make Snort see and react to only the traffic not
already blocked by iptables.  I.e.

    Internet --> iptables --> snort --> httpd

Is there a document describing how to do this?

I've read elsewhere that Snort works best as an IPS when it runs on
its own dedicated machine with two NICs, and filters incoming traffic
for an internal network, and not so well for my situation.  Is this
true?


Ok...let's look at a couple examples...for your setup on a single 
machine you'll use the INPUT table, easy enough

sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 80 -j ACCEPT
sudo /sbin/iptables -A INPUT -d IP.ADDRESS -j DROP

Simple...allow port 80, drop everything else...this is a "whitelist" 
type of firewall setup....poke holes, block everything else. Now the 
below:

sudo /sbin/iptables -A INPUT -j NFQUEUE --queue-num 1
sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 80 -j ACCEPT
sudo /sbin/iptables -A INPUT -d IP.ADDRESS -j DROP

will cause ALL packets to go to snorts queue...and at that point the 
following ACCEPT and DROP rules are never accessed...Snort will 
determine if it's going to drop the traffic or not and pass it 
along...so if snort doesn't drop it, then it goes up the stack...at this 
point in time, and unless snort has dropped the packet, your IP.ADDRESS 
is effectively wide open.  If you reverse this:

sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 80 -j ACCEPT
sudo /sbin/iptables -A INPUT -j NFQUEUE --queue-num 1
sudo /sbin/iptables -A INPUT -d IP.ADDRESS -j DROP

the packets never make it to snorts QUEUE...that's obviously not what 
we want to do.

At this point, a "blacklist" type firewall setup may be a better fit.  
If we assume that the NFQUEUE rule is effectively an ACCEPT consider the 
below:

sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 0-79 -j DROP
sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 80 -j NFQUEUE 
--queue-num 1
sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 81-65535 -j 
DROP

as an added bonus you'll still have firewall control to block known bad 
source IP's:

sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 0-79 -j DROP
sudo /sbin/iptables -A INPUT -s BAD.ACTORS -d IP.ADDRESS -p tcp --dport 
80 -j DROP
sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 80 -j NFQUEUE 
--queue-num 1
sudo /sbin/iptables -A INPUT -d IP.ADDRESS -p tcp --dport 81-65535 -j 
DROP

Because you are working with a single machine and IP, this is 
absolutely doable.  The only bummer is that now, ANY other type of 
threat is ignored by snort, since we're only listening to port 80.  A 
second snort instance to run as an IDS might be an option.  Things start 
to fall apart when you have a linux box setup as a router with a few 
NIC's or a linux box acting as a bridge.  Hope that helps.

James


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: