Snort mailing list archives

Re: Configuration issue, Part II

From: Bob Hillegas <bobhillegas () pdq net>
Date: Mon, 24 Sep 2001 12:33:34 -0500 (CDT)

John, I too use a dialup ppp connection on a firwall/IDS box. But I see
less than one percent of traffic and rarely see any packets that IPChains
logs, and I do log every DENY, REJECT.

You showed your command line. Do you mind sharing your 'cat snort.conf |
grep -v ^# | grep -v ^$'?

Thanks, BobH
-- 
-------------------------------------------------
Bob Hillegas
<bobhillegas () pdq net>
281.546.9311

John Sage wrote: ------------------------------------------------------

Message: 10
Date: Mon, 24 Sep 2001 07:20:55 -0700
From: John Sage <jsage () finchhaven com>
Organization: FinchHaven
To: Erek Adams <erek () theadamsfamily net>
CC: DJDave Sobel <dave () evolvetech com>,
        snort-users () lists sourceforge net
Subject: Re: [Snort-users] Configuration issue, Part II

Let's see...

*rummages around in logs*

Erek Adams wrote:

On Mon, 24 Sep 2001, John Sage wrote:

Although I think Erek has something going with the real issue, here,
questioning how *two* external interfaces are to work...

Well, you've really got two options running under Linux.  -i any and running
two instances of snort, one for each interface.

[...snip...]

...let me say that this is *not* what I see.


Hrm....

With snort 1.8.1-RELEASE build 74, and ipchains 1.3.9 (I know, I know..)
on RHL 6.2, ipchains quite busily DENY's or ACCEPT's as appropriate, and
snort happily logs everything, DENY'ed or not.

Maybe if Marty or someone is lurking, they can comment on what the FAQ says:

<snip>
Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully
quiet...

A: Your firewall rules will also block traffic to the snort processes.
<snip>

and how that reconciles with what I'm seeing.

I'm running snort thus:

snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf &

and my snortREL.conf points at my rules files that essentially log
everything.


Do you actually see packets with snort that should have been denied by the
firewall?  IOW, if you setup a firewall rule to deny all traffic from an
external site, say route-server.cerf.net, and then tried to send traffic from
the blocked site back into your net, does your snort box see it?  According to
everything we've seen so far, it shouldn't.  If you can, we'd love more info
on it!



Ah! here we go!

snort:
[**] [1:0:0] TCP to 111 sunrpc [**]
09/23-08:38:33.200899 211.234.99.8:1180 -> 12.82.129.113:111
TCP TTL:50 TOS:0x0 ID:57715 IpLen:20 DgmLen:60 DF
******S* Seq: 0x5F3001C2  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 20829501 0 NOP WS: 0

syslog via logcheck, from snort and ipchains:
Security Violations
=-=-=-=-=-=-=-=-=-=
Sep 23 08:38:33 greatwall snort: [1:0:0] TCP to 111 sunrpc {TCP}
211.234.99.8:1180 -> 12.82.129.113:111
Sep 23 08:38:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
211.234.99.8:1180 12.82.129.113:111 L=60 S=0x00 I=57715 F=0x4000 T=50
SYN (#58)

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Sep 23 08:38:33 greatwall snort: [1:0:0] TCP to 111 sunrpc {TCP}
211.234.99.8:1180 -> 12.82.129.113:111
Sep 23 08:38:33 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
211.234.99.8:1180 12.82.129.113:111 L=60 S=0x00 I=57715 F=0x4000 T=50
SYN (#58)

<time passes>

snort:
[**] [1:0:0] TCP to 80 http [**]
09/23-09:16:59.486532 12.82.128.150:3737 -> 12.82.129.113:80
TCP TTL:126 TOS:0x0 ID:23129 IpLen:20 DgmLen:48 DF
******S* Seq: 0xD7345D22  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] TCP to 80 http [**]
09/23-09:17:02.506834 12.82.128.150:3737 -> 12.82.129.113:80
TCP TTL:126 TOS:0x0 ID:23493 IpLen:20 DgmLen:48 DF
******S* Seq: 0xD7345D22  Ack: 0x0  Win: 0x2238  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

Security Violations
=-=-=-=-=-=-=-=-=-=
Sep 23 09:16:59 greatwall snort: [1:0:0] TCP to 80 http {TCP}
12.82.128.150:3737 -> 12.82.129.113:80
Sep 23 09:17:02 greatwall snort: [1:0:0] TCP to 80 http {TCP}
12.82.128.150:3737 -> 12.82.129.113:80
Sep 23 09:16:59 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
12.82.128.150:3737 12.82.129.113:80 L=48 S=0x00 I=23129 F=0x4000 T=126
SYN (#58)
Sep 23 09:17:02 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
12.82.128.150:3737 12.82.129.113:80 L=48 S=0x00 I=23493 F=0x4000 T=126
SYN (#58)

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Sep 23 09:16:59 greatwall snort: [1:0:0] TCP to 80 http {TCP}
12.82.128.150:3737 -> 12.82.129.113:80
Sep 23 09:17:02 greatwall snort: [1:0:0] TCP to 80 http {TCP}
12.82.128.150:3737 -> 12.82.129.113:80
Sep 23 09:16:59 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
12.82.128.150:3737 12.82.129.113:80 L=48 S=0x00 I=23129 F=0x4000 T=126
SYN (#58)
Sep 23 09:17:02 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
12.82.128.150:3737 12.82.129.113:80 L=48 S=0x00 I=23493 F=0x4000 T=126
SYN (#58)

<same sorta crap goes on for hours...>


Realize, again, that this is snort and ipchains running on the same box.

Dialup, ppp...

Command line:

snortREL -b -i ppp0 -c /usr/local/snort-1.8.1-RELEASE/snortREL.conf &


- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Configuration issue, Part II Bob Hillegas (Sep 24)
- Re: Configuration issue, Part II John Sage (Sep 25)