Snort mailing list archives
Re: Snort running inline but not functioning as IPS
From: Robin Kipp <mlists () robin-kipp net>
Date: Wed, 27 Jan 2016 15:52:48 +0100
Hi YM, first of all many thanks for another elaborate and helpful response, it’s greatly appreciated!
Am 27.01.2016 um 10:46 schrieb Y M <snort () outlook com>: From what you just described this tells me that may be working just fine, it is just the coincidence that none of the traffic being captured at that point of time matched any signatures.
Actually, that’s rather unlikely… It was pretty late at night where I am when I sent that Email, so I forgot to mention that I was doing some tests when Snort was back up and running with the security and balanced policies. I pinged some of the blacklisted IP addresses that Snort is using, something which would always trigger alerts when no ips_policy was present. I then also used a remote vserver to run vulnerability scans over the internet, using OpenVAS, Nexpose and Nmap. Finally, I even started 2 virtual machines on my network, one running Windows XP and the other running an old Ubuntu release, both with vulnerable software. I opened up the vulnerable ports to the internet using my router, but only allowed connections from my remote vserver to those ports. Next I used Metasploit to exploit various SMB and Apache2 web application vulnerabilities, all that worked fine complete with launching a Meterpreter reverse shell and all that. So, while I never really tested all that with Snort in IDS mode, I’m sure that at least one of those actions should have resulted in an alert and a drop action, but really nothing happened...
Here is a suggestion, keep everything intact in Snort, however, reconfigure the rules to run in "security" policy mode and test - I am not sure the "max" policy is yet added to PulledPork . If that still does not alert, then edit your enablesid.conf and add "pcre:.", minus the quotes. This will enable all of the rules at once. You may see more warnings about flowbits at this point, but that's okay for now until you finish testing.
Thanks for that suggestion! I set the ips_policy to security, then reprocessed rules and restarted Snort without seeing any alerts. However, after making the change to enablesid.conf that you suggested, I am now seeing loads and loads of „misc activity“ alerts in Snort! Here are the stats I got from pulledpork after reprocessing rules: Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----27951 Dropped Rules:----0 Disabled Rules:---0 Total Rules:------27951 IP Blacklist Stats... Total IPs:——19242 I’m using pulledpork 0.7.2 btw, previously (before starting from scratch) I was using 0.7.1. Here’s a question though, if I previously set ips_policy to security, shouldn’t there be more ‚dropped rules‘? Or does the number of dropped rules in those stats really just count the rules that were explicitly dropped in dropsid.conf?
- While Snort was running but not alerting, was it dropping the traffic?
Nope, all the pings, vulnerability scans and even vulnerability exploitations went through without any Snort interference.
- Have you added which rules to change from "alert" to "drop" in your dropsid.conf?
I currently don’t have anything in my dropsid.conf except for the commented lines that are in there by default. As far as I understood, the dropsid.conf is only there if the user wants to drop rules explicitly, but doesn’t need to be modified to take the ips_policy into account… Is that correct? Many thanks for your help! Best regards, Robin
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort running inline but not functioning as IPS, (continued)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 22)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 22)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 23)
- Re: Snort running inline but not functioning as IPS Joel Esler (jesler) (Jan 23)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 24)
- Re: Snort running inline but not functioning as IPS Y M (Jan 24)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 26)
- Re: Snort running inline but not functioning as IPS Y M (Jan 27)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)
- Re: Snort running inline but not functioning as IPS Y M (Jan 27)
- Re: Snort running inline but not functioning as IPS Robin Kipp (Jan 27)