Snort mailing list archives

Re: snort-inline and iptables INPUT chain

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 2 Mar 2005 15:58:31 -0600

Nothing is showing up in your alert logs? Is it just ssh or does this
happen with all connections?  Try the following....

iptables -F INPUT
iptables -F OUPUT
iptables -F FORWARD
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT  -j QUEUE
iptables -A FORWARD -j QUEUE 
iptables -A OUPUT -j QUEUE

in your snort.conf set checksum mode to none.

config checksum_mode: none

Regards,

Will




On Wed, 02 Mar 2005 20:16:38 +0100, Laurent Haond <lhaond () bearstech com> wrote:



Will Metcalf a écrit :

If you start snort with

snort -Q -v -c /etc/snort/snort.conf

do you see any traffic?

Regards,

Will

Sure i see some traffic :

Here are tethereal captures (done on 192.168.0.2 which the ssh client
with NO firewall):

=> case 1
ssh establishing WITHOUT snort-inline / queue :
Capturing on eth0
0.000000  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [SYN] Seq=0 Ack=0
Win=5840 Len=0 MSS=1460 TSV=567646 TSER=0 WS=0
0.000422  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [SYN, ACK] Seq=0
Ack=1 Win=5792 Len=0 MSS=1460 TSV=583170 TSER=567646 WS=0
0.000456  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 Ack=1
Win=5840 Len=0 TSV=567647 TSER=583170
0.091878  192.168.0.2 -> 192.168.0.1  SSH Server Protocol: SSH-2.0-OpenSSH
0.091892  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1 Ack=25
Win=5840 Len=0 TSV=567656 TSER=583180
0.091949  192.168.0.1 -> 192.168.0.2  SSH Client Protocol: SSH-2.0-OpenSSH
0.092158  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25
Ack=42 Win=5792 Len=0 TSV=583180 TSER=567656
0.092166  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Key Exchange Init
0.092429  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=25
Ack=650 Win=6688 Len=0 TSV=583180 TSER=567656
0.096161  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Key Exchange Init
0.096229  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX
Request
0.112155  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman Key
Exchange Reply
0.113776  192.168.0.1 -> 192.168.0.2  SSHv2 Client: Diffie-Hellman GEX
Init
0.150941  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=785
Ack=818 Win=7904 Len=0 TSV=583186 TSER=567658
0.253657  192.168.0.2 -> 192.168.0.1  SSHv2 Server: Diffie-Hellman GEX
Reply
0.255864  192.168.0.1 -> 192.168.0.2  SSHv2 Client: New Keys
0.256059  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249
Ack=834 Win=7904 Len=0 TSV=583196 TSER=567672
0.256068  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet
len=48
0.256240  192.168.0.2 -> 192.168.0.1  TCP 22 > 32859 [ACK] Seq=1249
Ack=882 Win=7904 Len=0 TSV=583196 TSER=567672
0.256615  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet
len=48
0.256922  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet
len=64
0.258581  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet
len=80
0.258646  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet
len=528
0.260759  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet
len=80
0.260799  192.168.0.1 -> 192.168.0.2  SSHv2 Encrypted request packet
len=96
0.261335  192.168.0.2 -> 192.168.0.1  SSHv2 Encrypted response packet
len=80
0.300461  192.168.0.1 -> 192.168.0.2  TCP 32859 > 22 [ACK] Seq=1570
Ack=1537 Win=7904 Len=0 TSV=567677 TSER=583197
so ok it works normally...

=> case 2:
ssh establishing WITH snort-inlie /queue :
Capturing on eth0
0.000000  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [SYN] Seq=0 Ack=0
Win=5840 Len=0 MSS=1460 TSV=599536 TSER=0 WS=0
0.000557  192.168.0.2 -> 192.168.0.1  TCP 22 > 32862 [SYN, ACK] Seq=0
Ack=1 Win=5792 Len=0 MSS=1460 TSV=615058 TSER=599536 WS=0
0.000577  192.168.0.1 -> 192.168.0.2  TCP 32862 > 22 [ACK] Seq=1 Ack=1
Win=5840 Len=0 TSV=599536 TSER=615058
then nothing more is received...

But on 192.168.0.1 (snort box using snort -Q -v -c /etc/snort/snort.conf)
I see  traffic from 192.168.0.2:22 -> 192.168.0.1:32862  after that...
But this traffic is never received by 192.168.0.1 !!

Regards
Laurent



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort-inline and iptables INPUT chain Laurent Haond (Feb 28)
- Re: snort-inline and iptables INPUT chain Victor Julien (Feb 28)
  - Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 01)
    - Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
    - Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
    - Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
    - Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
    - Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
    - Re: snort-inline and iptables INPUT chain Will Metcalf (Mar 02)
    - Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)
    - Re: snort-inline and iptables INPUT chain Laurent Haond (Mar 02)