Re: Snort running inline but not functioning as IPS

[Y M <snort () outlook com>]

________________________________________
From: Robin Kipp <mlists () robin-kipp net>
Sent: Wednesday, January 27, 2016 12:07 AM

> Hi YM,
> thanks for all your hints and ideas!
> Before I start commenting on them in greater detail, let me start by saying that I completely wiped Snort, Barnyard2 
> and Pulledpork (including all files and databases) from the system in order to start from scratch.
> After reinstalling Snort, I started by creating an ICMP detect rule, which I first set to alert („alert ICMP…“). 
> After running Snort in IDS mode, the ICMP packets were successfully detected and the alerts were logged.
> Then, I went back and edited the rule, changing „alert“ to „drop“. Then, I once again started Snort, this time in 
> inline mode using DAQ-NFQ. At that point, when trying to execute pings, Snort would not only alert on them but also 
> drop the packets like it was supposed to.

That's good to know.

> Next I proceeded by reinstalling Pulledpork, setting IPS policy to „balanced“ before downloading / processing any 
> rules. The downloading and processing then proceeded without errors, afterwards I fired up Snort once again to see 
> what would happen. Sadly, I then > discovered that this took me right back to where I started, over 7000 rules loaded 
> but no alerts or other visible reactions to rules being triggered… I can see in the stats that Snort is capturing 
> traffic alright, but it’s still dead quiet about alerts!
> However, I made a very interesting discovery: once I edited my pulledpork.conf and commented out ips_policy, then 
> reprocessed rules with the -P flag, Snort would once again generate alerts properly. After changing ips_policy to 
> either „balanced“ or „security“, >Snort would go back to being silent.

> From what you just described this tells me that may be working just fine, it is just the coincidence that none of the 
> traffic being captured at that point of time matched any signatures. Here is a suggestion, keep everything intact in 
> Snort, however, reconfigure the rules to run in "security" policy mode and test - I am not sure the "max" policy is 
> yet added to PulledPork . If that still does not alert, then edit your enablesid.conf and add "pcre:.", minus the 
> quotes. This will enable all of the rules at once. You may see more warnings about flowbits at this point, but that's 
> okay for now until you finish testing.

Back to your description, I have two questions if I may,

- While Snort was running but not alerting, was it dropping the traffic?
-  Have you added which rules to change from "alert" to  "drop" in your dropsid.conf?

YM


> Am 24.01.2016 um 22:26 schrieb Y M <snort () outlook com>:
>
> If you run tcpdump on the same box where snort is installed, do you see the traffic on the the same NIC snort is 
> listening to?

Yes, I can confirm that this traffic is in deed passing through that NIC, so my setup should be alright I suppose...
> Also, since you are using NFQ, could iptables got misconfigured somehow? Just thinking out loud.

Well, of course there’s always a chance for that! :-) However, since I tested this both in IDS mode (simply specifying 
the NIC using the -i flag) with the same result and also since it worked just fine before with only one ICMP rule, I 
don’t think that iptables is the problem.
> Try also to disable NIC offloading stuff, or run snort with the -k none for testing purposes and see if that helps.

Yep, I have both GRO and LRO disabled, that was something I did even before running Snort for the very first time. I 
have also verified that it’s still disabled using ethtool, everything looks just fine to me.
So, after all this I can’t shake off the feeling that Pulledpork may be doing something odd with those rules, because 
as far as I can tell Snort works just fine! Is there perhaps any other rule management software that I could use? All 
the Snort tutorials that I’ve looked at talk about Pulledpork, so I’m not really expecting a positive answer here… I’m 
just desperately seeking a solution, because this looks like I’m really close to getting it all up and running except 
for this annoying issue.
Just a few minutes ago, I tried running snort with the -v flag which showed me pretty much all the connections on my 
network as far as I can tell, so the packet capturing really works. Now, if only I could get it to actually generate 
those alerts…
Thanks for any more help!!!
Best regards,
Robin

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!