Re: Snort running inline but not functioning as IPS

[Robin Kipp <mlists () robin-kipp net>]

Hi YM,
first of all many thanks for another elaborate and helpful response, it’s greatly appreciated!

> Am 27.01.2016 um 10:46 schrieb Y M <snort () outlook com>:
>
>
>
>
> From what you just described this tells me that may be working just fine, it is just the coincidence that none of the 
> traffic being captured at that point of time matched any signatures.

Actually, that’s rather unlikely… It was pretty late at night where I am when I sent that Email, so I forgot to mention 
that I was doing some tests when Snort was back up and running with the security and balanced policies. I pinged some 
of the blacklisted IP addresses that Snort is using, something which would always trigger alerts when no ips_policy was 
present. I then also used a remote vserver to run vulnerability scans over the internet, using OpenVAS, Nexpose and 
Nmap. Finally, I even started 2 virtual machines on my network, one running Windows XP and the other running an old 
Ubuntu release, both with vulnerable software. I opened up the vulnerable ports to the internet using my router, but 
only allowed connections from my remote vserver to those ports. Next I used Metasploit to exploit various SMB and 
Apache2 web application vulnerabilities, all that worked fine complete with launching a Meterpreter reverse shell and 
all that. So, while I never really tested all that with Snort in IDS mode, I’m sure that at least one of those actions 
should have resulted in an alert and a drop action, but really nothing happened...


> Here is a suggestion, keep everything intact in Snort, however, reconfigure the rules to run in "security" policy 
> mode and test - I am not sure the "max" policy is yet added to PulledPork . If that still does not alert, then edit 
> your enablesid.conf and add "pcre:.", minus the quotes. This will enable all of the rules at once. You may see more 
> warnings about flowbits at this point, but that's okay for now until you finish testing.

Thanks for that suggestion! I set the ips_policy to security, then reprocessed rules and restarted Snort without seeing 
any alerts. However, after making the change to enablesid.conf that you suggested, I am now seeing loads and loads of 
„misc activity“ alerts in Snort! Here are the stats I got from pulledpork after reprocessing rules:
Rule Stats...
        New:-------0
        Deleted:---0
        Enabled Rules:----27951
        Dropped Rules:----0
        Disabled Rules:---0
        Total Rules:------27951
IP Blacklist Stats...
        Total IPs:——19242
I’m using pulledpork 0.7.2 btw, previously (before starting from scratch) I was using 0.7.1.
Here’s a question though, if I previously set ips_policy to security, shouldn’t there be more ‚dropped rules‘? Or does 
the number of dropped rules in those stats really just count the rules that were explicitly dropped in dropsid.conf?
> - While Snort was running but not alerting, was it dropping the traffic?

Nope, all the pings, vulnerability scans and even vulnerability exploitations went through without any Snort 
interference.
> -  Have you added which rules to change from "alert" to  "drop" in your dropsid.conf?

I currently don’t have anything in my dropsid.conf except for the commented lines that are in there by default. As far 
as I understood, the dropsid.conf is only there if the user wants to drop rules explicitly, but doesn’t need to be 
modified to take the ips_policy into account… Is that correct?
Many thanks for your help!
Best regards,
Robin

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!