Re: Snort + ipchains

[John Sage <jsage () finchhaven com>]

Martijn:

Martijn Heemels wrote:

>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

<snip>

> I'm actually running snort *on* the same box as ipchains. So, it's at
> the border of my network.
> However, still only non-firewalled ports are visible. I have kind of
> given up on getting snort to see all traffic on this box, assuming
> there must be something unusual about it (hardware of software).
> Since I run snort only as a hobby project on my home LAN to learn
> about computer-security related stuff, I stopped trying to solve the
> problem. I'm pretty content actually getting alerts on the traffic
> that crosses the firewall, since the stuff that gets blocked doesn't
> hurt me anyway :-). 
> Erik Adams would say that I need more coffee and it would all become
> clear ;-D


That's weird about only seeing non-firewalled packets. That's about 
exactly what I'm doing.

My firewall essentially blocks everything except the masq range, and a 
couple other services...

I've got RedHat 6.2 (2.2.14-5.0 kernel, ipchains 1.3.9), but I'm doing 
ppp through my modem at home, too... though I can't see what difference 
ppp would make.

snort command line:  snort -b -i ppp0 -c 
/usr/local/snort-1.8.2/snort182.conf

so I'm running in binary log mode and specifying the interface on the 
command line..

Relevant stuff...

/* god this is becoming *real* weird -- didn't you and I have exactly 
this *same* conversation last spring!? /*

...from snort.conf:

var HOME_NET $ppp0_ADDRESS

var EXTERNAL_NET any

# output alert_full
output alert_full: /var/log/snort/alert182.full
# as from RELEASE


And then essentially I'm running only my own rules that either:

1) alert on specific ports first,
2) alert on port ranges second,
3) or log everything:

#
# attempt in snort182.conf for snort 1.8.2 11/25/01 - works ;-)
# attempt in snort18REL.conf for snort 1.8.1-RELEASE
# wasn't shown originally: works as from 1.7
<snip>
#=========================================
include /usr/local/snort-1.8.2/tcp182-local.rules
include /usr/local/snort-1.8.2/udp182-local.rules
include /usr/local/snort-1.8.2/icmp182-local.rules
# as from RELEASE

this is so that snort sees *every* packet realtime, and does something 
to every one...

Aa an example of some rules:

#
alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"TCP to 137 netBIOS ns";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"TCP to 138 netBIOS ds";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"TCP to 139 netBIOS ss";)
alert tcp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"TCP from 137 netBIOS 
ns";)
alert tcp $EXTERNAL_NET 138 -> $HOME_NET any (msg:"TCP from 138 netBIOS 
ds";)
alert tcp $EXTERNAL_NET 139 -> $HOME_NET any (msg:"TCP from 139 netBIOS 
ss";)
#

And I would see these alerts even though the ports are blocked by ipchains.


Later on I analyze the binary logs with the other rulesets that actually 
come with snort, using a shell alias that says:

alias snort182check='snort182 -dv -i ppp0 -l . -P 2000 -c 
/usr/local/snort-1.8.2/snort182check.conf -r '

and *that* conf file points at the original snort rules...



Anyway..


- John


> Anyway, if you have any tips left, let me know. I'm running a
> completely updated redhat 6.2 on i386 with ipchains-1.3.9-5 and a
> 3com509 NIC
>
> Greets, Martijn
>
> P.S. Wish I was a *rich* student so i could build a cheap dedicated
> snort box. But then again, there are a lot of other cool networking
> things one can do with money...
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBPAlBihLMC0rbivl4EQL6RACgjKUNW+7+a+6sz4r0C21hvr1Xq0kAoMOP
> bvn8sO4fBoN1uKgZj8pJzKG7
> =oMeB
> -----END PGP SIGNATURE-----




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users