Snort mailing list archives
Re: New to snort (inline mode not rejecting)
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 31 Jul 2015 01:32:31 +0000
I ran a quick test and you should see “destination unreachables”. The command-line I ran was: “./bin/snort -c etc/ICMP-TEST.conf --daq dump --daq-var load-mode=read-file -Q -r ICMP-TEST.pcap -Acmg -U -H -k none -q” Also It shouldn’t matter if the traffic is ipv4 or ipv6.. 21:19:58.933050 IP6 2607:f8b0:400d:c04::63 > 2001:420:270d:1330:90a4:f2e5:4b0c:c77a: ICMP6, destination unreachable, unreachable port[|icmp6] 21:19:58.961990 IP6 2001:420:270d:1330:90a4:f2e5:4b0c:c77a > 2607:f8b0:400d:c04::63: ICMP6, destination unreachable, unreachable port[|icmp6] 21:19:59.934488 IP6 2607:f8b0:400d:c04::63 > 2001:420:270d:1330:90a4:f2e5:4b0c:c77a: ICMP6, destination unreachable, unreachable port[|icmp6] 21:19:59.965522 IP6 2001:420:270d:1330:90a4:f2e5:4b0c:c77a > 2607:f8b0:400d:c04::63: ICMP6, destination unreachable, unreachable port[|icmp6] Hope this helps. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Al Lewis (allewi) Sent: Thursday, July 30, 2015 8:58 PM To: usa ims; snort-users () lists sourceforge net Subject: Re: [Snort-users] New to snort (inline mode not rejecting) Is the traffic passing directly through the snort sensor? I see that you are mentioning “mirroring” which isn’t going to work properly. As a test can you replay a pcap into the snort sensor directly with the “--daq dump --daq-var load-mode=read-file -Q” flags set. (this forces it inline and will output the packets that pass through the daq) Check to see if there are resets in the “inline.out” file that is generated. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> From: usa ims [mailto:usaims () yahoo com] Sent: Thursday, July 30, 2015 6:13 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] New to snort (inline mode not rejecting) I have a friend that works at SourceFire so I called him and asked why my 'inline' Snort server is not rejecting packets. He kindly explained to me that just because the snort logs indicated that the server started in 'inline' mode doesn't mean it really is. 'Inline' really means that the 'Snort' server has be physically in the path of the destination of the packet. Ideally -- correct me if I am wrong -- once the packet traverses the firewall and is inside the LAN, its next hop should be an 'inline' snort server. Then the snort server will examine the packet to see if it's safe and if it isn't, the packet should drop. On Tuesday, July 28, 2015 12:08 PM, usa ims <usaims () yahoo com<mailto:usaims () yahoo com>> wrote: Inline mode not rejecting. I'm trying to reject 'ICMP' in my network and the pings are still successful (I know - it's an overkill). I'm still able to ping any nodes in the subnet that Snort is protecting. Snort Version: 2.9.7.3 Netgear Layer 2 Switch with mirroring enabled. Snort seems to be starting fine: Jul 28 11:30:41 snort snort[810]: afpacket DAQ configured to inline. ... Jul 28 11:30:41 snort snort[811]: Commencing packet processing (pid=811) Jul 28 11:30:41 snort snort[811]: Decoding Ethernet I started snort with this command: snort -Q -D -c /etc/snort/snort.conf -i eth1:eth2 --daq afpacket --daq-mode inline --daq-var buffer_size_mb=1024 -l /var/log/snort I have this rule enabled local.rules: reject icmp any any -> any any (msg:"You're doomed!"; sid:478; rev:3;) My snort.conf has the some of the following: #config policy_mode:inline config daq: afpacket config daq_mode: inline config daq_var: buffer_size_mb=1024 var HOME_NET 192.168.0.0/24 var EXTERNAL_NET any Here is the output from u2: IPv6 Event) sensor id: 0 event id: 1496 event second: 1438098558 event microsecond: 471655 sig id: 478 gen id: 1 revision: 3 classification: 0 priority: 0 ip source: fe80::851b:3b6b:9ef3:1ff8 ip destination: ff02::1:ff98:f8eb src port: 0 dest port: 0 protocol: 58 impact_flag: 32 blocked: 1 Packet sensor id: 0 event id: 1496 event second: 1438098558 packet second: 1438098558 packet microsecond: 471655 linktype: 1 packet_length: 86 [ 0] 33 33 FF 98 F8 EB 28 D2 44 71 3A 63 86 DD 60 00 33....(.Dq:c..`. [ 16] 00 00 00 20 3A FF FE 80 00 00 00 00 00 00 85 1B ... :........... [ 32] 3B 6B 9E F3 1F F8 FF 02 00 00 00 00 00 00 00 00 ;k.............. [ 48] 00 01 FF 98 F8 EB 87 00 47 39 00 00 00 00 FE 80 ........G9...... [ 64] 00 00 00 00 00 00 E1 C3 6F 7E CA 98 F8 EB 01 01 ........o~...... [ 80] 28 D2 44 71 3A 63 (.Dq:c What am I missing? Thanks in advance.
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- New to snort (inline mode not rejecting) usa ims (Jul 28)
- Re: New to snort (inline mode not rejecting) usa ims (Jul 30)
- Re: New to snort (inline mode not rejecting) Al Lewis (allewi) (Jul 30)
- Re: New to snort (inline mode not rejecting) Al Lewis (allewi) (Jul 30)
- Re: New to snort (inline mode not rejecting) Al Lewis (allewi) (Jul 30)
- Re: New to snort (inline mode not rejecting) usa ims (Jul 30)