Snort mailing list archives
Problem with bridge with Snort
From: giovanni guadagnini via Snort-users <snort-users () lists snort org>
Date: Tue, 03 Oct 2017 08:34:17 +0000
Hi. Trying to follow this guide http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ I created a snorted bridge. The bridge work correctly but it doesn't filter the content. I explain better I'm trying to build a bridge that intercept and block the request for stream video directed to a DVR (of video surveillance). The partition of network is like this LAN--CLIENT--> BRIDGE (whit snort) --> DVR --> CAM I ask to the site administrator but he tell me than he don't know why it doesn't work, and he told me to try and ask to you. I Hope you can help me. Below are the mails we sent each other: --------------------------------------------------------------------------------------------
From: Giovanni <giovanni.guadagnini () gmail com> Subject: IPS bridge
Message Body: Hi is it possible to create a bridge with an IPS system like snort that only have to check the string content of a packets and drop it? but the bridge have to operate on the same network segment, not on two different segments
example:
192.168.0.0/24(network) --> bridge --> 192.168.0.0/24 (network)
the bridge can drop a packet with the string "Channel/1" and let pass the rest?
Sorry for my english
----------------------------------------------------------------------------
Il giorno mer 13 set 2017 alle ore 16:15 Noah Dietrich < noah_dietrich () 86penny org> ha scritto:
Yes, that is possible. Set up snort in inline mode using afpacket, see my website for an example. Then you can create a rule to alert or drop based on the content
---------------------------------------------------------------------------
On Fri, Sep 15, 2017 at 2:26 PM, giovanni guadagnini < giovanni.guadagnini () gmail com> wrote:
Hi, I follow the guide on your website. When I execute the command " sudo /usr/local/bin/snort -A console -Q -c /etc/snort/snort.conf -i eth1:eth2 -N" I see the message which tells me that Snort has intercepted the packet but even if I put drop in the rule the packet is not dropped and it pass the bridge. Im sure that the bridge is properly running. What can I do?
---------------------------------------------------------------------------
Il giorno mer 27 set 2017 alle ore 09:09 Noah Dietrich < noah_dietrich () 86penny org> ha scritto:
Hi Giovanni, I am not sure why it is not dropping, does the message pass to the remote system? Your command looks correct, what does your rule look like?
---------------------------------------------------------------------------
On Wed, Sep 27, 2017 at 5:39 PM, giovanni guadagnini < giovanni.guadagnini () gmail com> wrote:
Yes unfortunately it pass to the remote system. The rule was like this: "drop tcp any any -> 192.168.0.129 any (msg: "Video stream incoming packet found"; content:"Channels/101"; sid:1000001; rev:1; react:block;)". And when I executed the command "sudo /usr/local/bin/snort -A console -Q -c /etc/snort/snort.conf -i eth1:eth2 -N" I saw that snort was intercepting the packet; but the packet passed the same to the remote system.
Pratically I have to block packets directed to a dvr (video surveillance) that contain the following string "Channels/101".
The network scheme is about this: PC-CLIENT --> bridge (snorted) --> DVR; the dvr manage ip cameras, the dvr is connected only to the bridge and the bridge is connected to the LAN. The client requires the dvr to stream the video of ip cam with a packet that contains "Channels/" followed the number of the camera, I have to block the traffic of certain cam.
------------------------------------------------------------------------------ On Gio 28 Set 2017, 08:38 Noah Dietrich <noah_dietrich () 86penny org> wrote:
two last things you might try, adding the following two flags when running snort:
-k none -P 9000
For example, your command would be: sudo /usr/local/bin/snort -A console -Q -c /etc/snort/snort.conf -i eth1:eth2 -N -k none -P 9000
This will prevent fragmented packets and oversized frames from being ignored. If that doesn't fix the issue, i'd reccomend you ask the Snort-users list, as i'm not sure what the issue is.
Noah
---------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem with bridge with Snort giovanni guadagnini via Snort-users (Oct 03)