Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort IPS with one NIC revisited

From: Maxim <hittlle () 163 com>
Date: Thu, 24 Nov 2016 16:07:34 +0800 (CST)
Hi snort experts,
I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of 
the same session if the attacker trigger this rule
             alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; 
classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;)
The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as 
follows
              snort -c /etc/snort/snort.conf -D 
after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request 
and response packets as expected. Then I use postman to send the same 
HTTP request again, this time, I only see the request packet, but cannot find the response packet. Weird. Am I missing 
anything? Thanks.






At 2016-10-29 22:11:37, "Dave Corsello" <snort-users () wintertreemedia com> wrote:


Many thanks, James.  I'll try this as soon as I'm able.




On 10/28/2016 4:44 PM, James Lay wrote:

Here we go!!!

Prereqs:  libdnet-1.12, daq configured with nfq (make sure you see "Build NFQ DAQ module....... : yes" at the end of 
your config run), snort installed somewhere (./configure --enable-sourcefire --enable-non-ether-decoders).

Rules:
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic"; sid:1000000; rev:1;)
drop icmp any any -> any any (msg:"ICMP"; sid:1000001; rev:1;)

Firewall script (safe to test if you're remotely ssh'd into a box like I was :) ):

#!/bin/bash
IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F -t raw
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -F -t filter
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
$IPTABLES -t mangle -A OUTPUT -p icmp -j NFQUEUE --queue-num 1


Snort command (adjust as needed):
sudo /opt/snort/bin/snort -Q -A console --daq nfq --daq-var device=enp0s10 --daq-var queue=1 -c 
/opt/snort/etc/snort.conf -k none

my snort.conf was just about stock from the tarball save a couple path tweaks...I literally changed nothing else.  
Screenshot showing workie:

 
James



------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: