Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall)

[Stanford Prescott <stan.prescott () gmail com>]

Yes, I figured you would see me, wkitty42. Thank you for trying to help. ;)

I did see that reference about the interfaces in colon separated pairs when
using DAQ for inline mode. I am having trouble conceptualizing how that
bridging works on a Linux firewall where one interface is the WAN and up to
three additional interfaces are each a separate LAN in its own distinct
non-overlapping private subnet. As with a typical NAT router firewall all
WAN traffic is NATd to the appropriate LAN.

My limited understanding is in order to have snort sniff and alert on
traffic at each interface that multiple instances of snort running inline
are required in order to have "bidirectional" monitoring.

The present setup I am dealing with is that snort is installed on the
firewall box and only sniffs traffic arriving on the WAN interface from the
ISP or incoming traffic. Snort is unable to sniff outgoing traffic from the
internal LANs and be able to tell where the traffic is coming from because
by the time traffic from the internal LANs arrives on the WAN interface,
snort does not have access to where the originating outgoing traffic is
from.  I know that is a poor explanation, sorry.

Anyway, perhaps a diagram of the flow of traffic using multiple instances
of snort running on a firewall distro would help describe how the
interfaces need to be bridged. Does anyone know where a diagram like that
might be?



On Wed, Mar 29, 2017 at 3:07 PM, James Lay <jlay () slave-tothe-box net> wrote:

> On 2017-03-29 13:27, wkitty42 () windstream net wrote:
> > On 03/29/2017 02:15 PM, Stanford Prescott wrote:
> > > I need to know if the  multiple interfaces can all be bridged to the
> > > WAN
> > > interface such that:
> > >  WAN eth0 <---inline snort 1 -->LAN eth1
> > >
> > > WAN eth0 <---inline snort 2 -->LAN eth2
> > >
> > > etc.
> > >
> > > Can it be done?
> >
> > i don't think it can be done like that... likely it should be more like
> > this...
> >
> > WAN0(eth0) -> snort0 -> WAN0(eth1) -> current path for WAN0 to LANs
> > LAN0(eth2) -> snort1 -> LAN0(eth3) -> current path for LAN0 to LANs &
> > WAN0
> > LAN1(eth4) -> snort2 -> LAN1(eth5) -> current path for LAN1 to LANs &
> > WAN0
> > LAN2(eth6) -> snort3 -> LAN2(eth7) -> current path for LAN2 to LANs &
> > WAN0
> >
> > each snort instance has to have its own two interfaces to bridge...
> > remember,
> > each bridge is a dedicated tunnel from one entry point to the exit
> > point with
> > snort processing the data traveling through the tunnel...
> >
> > something else to think about: each snort should also have its own
> > configs...
> > some parts of the configs can be common and shared between all snort
> > instances
> > while others must be discrete and separate... one should also consider
> > the need
> > for different rules to be in effect for the different snort
> > instances...
> >
> > eg: LAN0 may allow TOR traffic but TOR is denied on LAN1 and LAN2...
> >
> >
> > PS: i see you ;)
> >
> >
> > > On Tue, Mar 28, 2017 at 1:20 PM, Stanford Prescott
> > > <stan.prescott () gmail com>
> > > wrote:
> > >
> > > > I am trying to learn some of the ins and outs of snort. Is there a
> > > > tutorial somewhere that outlines how to setup snort in inline mode
> > > > using
> > > > daq on a Linux netfilter firewall. It is a typical firewall setup
> > > > with
> > > > interfaces of, for example:
> > > >
> > > > eth0 -> WAN interface with public IP address
> > > > eth1 -> 1st protected LAN interface with unique subnet
> > > > eth2 -> 2nd protected LAN interface with unique subnet
> > > > etc....
> > > >
> > > > I would need multiple instances of snort with
> > > >
> > > > instance1 eth0 <---> eth1 (bidirectional)
> > > > instance2 eth0 <---> eth2        "
> > > > etc.
> > > >
> > > > Thank you!
>
> And per the daq README:
>
> AFPACKET Module
> ===============
>
> afpacket functions similar to the pcap DAQ but with better performance:
>
>      ./snort --daq afpacket -i <device>
>              [--daq-var buffer_size_mb=<#MB>]
>              [--daq-var debug]
>
> If you want to run afpacket in inline mode, you must craft the device
> string as
> one or more interface pairs, where each member of a pair is separated by
> a
> single colon and each pair is separated by a double colon like this:
>
>      eth0:eth1
>
> or this:
>
>      eth0:eth1::eth2:eth3
>
> This applies to PF_RING as well.
>
> James
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!