Snort mailing list archives
Re: Snort running inline but not functioning as IPS
From: Y M <snort () outlook com>
Date: Wed, 27 Jan 2016 09:46:54 +0000
________________________________________ From: Robin Kipp <mlists () robin-kipp net> Sent: Wednesday, January 27, 2016 12:07 AM
Hi YM, thanks for all your hints and ideas! Before I start commenting on them in greater detail, let me start by saying that I completely wiped Snort, Barnyard2 and Pulledpork (including all files and databases) from the system in order to start from scratch. After reinstalling Snort, I started by creating an ICMP detect rule, which I first set to alert („alert ICMP…“). After running Snort in IDS mode, the ICMP packets were successfully detected and the alerts were logged. Then, I went back and edited the rule, changing „alert“ to „drop“. Then, I once again started Snort, this time in inline mode using DAQ-NFQ. At that point, when trying to execute pings, Snort would not only alert on them but also drop the packets like it was supposed to.
That's good to know.
Next I proceeded by reinstalling Pulledpork, setting IPS policy to „balanced“ before downloading / processing any rules. The downloading and processing then proceeded without errors, afterwards I fired up Snort once again to see what would happen. Sadly, I then > discovered that this took me right back to where I started, over 7000 rules loaded but no alerts or other visible reactions to rules being triggered… I can see in the stats that Snort is capturing traffic alright, but it’s still dead quiet about alerts! However, I made a very interesting discovery: once I edited my pulledpork.conf and commented out ips_policy, then reprocessed rules with the -P flag, Snort would once again generate alerts properly. After changing ips_policy to either „balanced“ or „security“, >Snort would go back to being silent.
From what you just described this tells me that may be working just fine, it is just the coincidence that none of the traffic being captured at that point of time matched any signatures. Here is a suggestion, keep everything intact in Snort, however, reconfigure the rules to run in "security" policy mode and test - I am not sure the "max" policy is yet added to PulledPork . If that still does not alert, then edit your enablesid.conf and add "pcre:.", minus the quotes. This will enable all of the rules at once. You may see more warnings about flowbits at this point, but that's okay for now until you finish testing.
Back to your description, I have two questions if I may, - While Snort was running but not alerting, was it dropping the traffic? - Have you added which rules to change from "alert" to "drop" in your dropsid.conf? YM
Am 24.01.2016 um 22:26 schrieb Y M <snort () outlook com>: If you run tcpdump on the same box where snort is installed, do you see the traffic on the the same NIC snort is listening to?
Yes, I can confirm that this traffic is in deed passing through that NIC, so my setup should be alright I suppose...
Also, since you are using NFQ, could iptables got misconfigured somehow? Just thinking out loud.
Well, of course there’s always a chance for that! :-) However, since I tested this both in IDS mode (simply specifying the NIC using the -i flag) with the same result and also since it worked just fine before with only one ICMP rule, I don’t think that iptables is the problem.
Try also to disable NIC offloading stuff, or run snort with the -k none for testing purposes and see if that helps.
Yep, I have both GRO and LRO disabled, that was something I did even before running Snort for the very first time. I have also verified that it’s still disabled using ethtool, everything looks just fine to me. So, after all this I can’t shake off the feeling that Pulledpork may be doing something odd with those rules, because as far as I can tell Snort works just fine! Is there perhaps any other rule management software that I could use? All the Snort tutorials that I’ve looked at talk about Pulledpork, so I’m not really expecting a positive answer here… I’m just desperately seeking a solution, because this looks like I’m really close to getting it all up and running except for this annoying issue. Just a few minutes ago, I tried running snort with the -v flag which showed me pretty much all the connections on my network as far as I can tell, so the packet capturing really works. Now, if only I could get it to actually generate those alerts… Thanks for any more help!!! Best regards, Robin ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort running inline but not functioning as IPS, (continued)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 22)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 23)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 23)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 26)
- Re: Snort running inline but not functioning as IPS Y M (Jan 27)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)
- Re: Snort running inline but not functioning as IPS Y M (Jan 27)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)