Snort mailing list archives
Re: Snort IPS with one NIC revisited
From: Maxim <hittlle () 163 com>
Date: Thu, 24 Nov 2016 16:07:34 +0800 (CST)
Hi snort experts, I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of the same session if the attacker trigger this rule alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;) The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as follows snort -c /etc/snort/snort.conf -D after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request and response packets as expected. Then I use postman to send the same HTTP request again, this time, I only see the request packet, but cannot find the response packet. Weird. Am I missing anything? Thanks. At 2016-10-29 22:11:37, "Dave Corsello" <snort-users () wintertreemedia com> wrote: Many thanks, James. I'll try this as soon as I'm able. On 10/28/2016 4:44 PM, James Lay wrote: Here we go!!! Prereqs: libdnet-1.12, daq configured with nfq (make sure you see "Build NFQ DAQ module....... : yes" at the end of your config run), snort installed somewhere (./configure --enable-sourcefire --enable-non-ether-decoders). Rules: drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic"; sid:1000000; rev:1;) drop icmp any any -> any any (msg:"ICMP"; sid:1000001; rev:1;) Firewall script (safe to test if you're remotely ssh'd into a box like I was :) ): #!/bin/bash IPTABLES=/sbin/iptables $IPTABLES -F $IPTABLES -F -t raw $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -F -t filter $IPTABLES -X $IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD $IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1 $IPTABLES -t mangle -A OUTPUT -p icmp -j NFQUEUE --queue-num 1 Snort command (adjust as needed): sudo /opt/snort/bin/snort -Q -A console --daq nfq --daq-var device=enp0s10 --daq-var queue=1 -c /opt/snort/etc/snort.conf -k none my snort.conf was just about stock from the tarball save a couple path tweaks...I literally changed nothing else. Screenshot showing workie: James ------------------------------------------------------------------------------ The Command Line: Reinvented for Modern Developers Did the resurgence of CLI tooling catch you by surprise? Reconnect with the command line and become more productive. Learn the new .NET and ASP.NET CLI. Get your free copy! http://sdm.link/telerik _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort IPS with one NIC revisited James Lay (Oct 28)
- Re: Snort IPS with one NIC revisited Dave Corsello (Oct 29)
- Re: Snort IPS with one NIC revisited Maxim (Nov 24)
- Re: Snort IPS with one NIC revisited Dave Corsello (Oct 29)