Re: Snort + ipchains

[John Sage <jsage () finchhaven com>]

Guillaume:

Guillaume wrote:

> En réponse à John Sage <jsage () finchhaven com>:
>
>
> > Guillaume:
> >
> > It's interesting to note that the HOW-TO doesn't even mention -o except
> > in a crossreference to ipfwadm commands.
> > man ipchains says "Copy matching packets to the user space device..."
> > I've never used it; hardly knew it existed.
> > What exactly are you hoping to accomplish?
>
> I would like to capture rejected/denyied packets in raw binary format for a 
> kind of forensic analysis, in seek of new attacks tracks. For that, ipchains 
> logs are not enough. All I can do is suspecting these packets just because they 
> were rejected by ipchains...


That sounds a lot like what I'm doing:

My method is to run snort in -b binary capture mode against my own 
rulesets that essentially act upon *every* packet by either alerting (on 
a specific port, for example..) or by alerting/logging entire port 
ranges so that everything is captured.


Here's an example of the rules that act upon ports:

#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"TCP to 445 Win2k SMB";)
alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"TCP from 445 Win2k SMB";)
#


And upon port ranges:

# Blanket ALERT FROM ranges, leave holes for services we like ;-)
#
alert tcp $EXTERNAL_NET 0:20 -> $HOME_NET any (msg:"TCP from range 0-20";)
# 21 ftp
alert tcp $EXTERNAL_NET 22:24 -> $HOME_NET any (msg:"TCP from range 22-24";)
# 25 smtp
alert tcp $EXTERNAL_NET 26:42 -> $HOME_NET any (msg:"TCP from range 26-42";)
# 43 whois
alert tcp $EXTERNAL_NET 44:79 -> $HOME_NET any (msg:"TCP from range 44-79";)
# 80 http
alert tcp $EXTERNAL_NET 81:109 -> $HOME_NET any (msg:"TCP from range 
81-109";)
# 110 pop3


(Now, having said this, let me say that my ipchains rules actually block 
most of those ports that seem to be open, by limiting connections to a 
specific set of source IP's...)


Here's an example of the rules (bi-directional) that log entire ranges:

# Blanket LOG FROM bidirectional ranges so everything is logged
#
log tcp $EXTERNAL_NET 0:1024 <> $HOME_NET any (msg:"TCP to/from range 0-1024";)
log tcp $EXTERNAL_NET 1025:60999 <> $HOME_NET any (msg:"TCP to/from range 1025-60999";)
log tcp $EXTERNAL_NET 61000:65095 <> $HOME_NET any (msg:"TCP to/from masq range";)
log tcp $EXTERNAL_NET 65096:65535 <> $HOME_NET any (msg:"TCP to/from beyond masq range";)
#
# run with: snort -b -i ppp0 -c /usr/local/snort-1.8.2/snort182.conf &


The net effect is that *every* packet is accounted-for, somehow, both 
incoming and outgoing.

Later I analyze the binary logs with the rules that come provided with 
snort...


HTH..

- John


> My thought is capturing all that and perform snort or any other network utility 
> post-analysis.
> The hardest part being that, if ipchains and snort are up to date, no signature 
> or rule will match captured traffic... But the goal is to write new ones.
>
>
>
> Guillaume
>
> ***********************************
> Sent with HORDE/IMP (www.horde.org)




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users