Snort mailing list archives
Re: QUEUE questions?
From: "mdpeters" <michael.peters () lazarusalliance com>
Date: Sun, 9 Jan 2005 08:03:47 -0500
OK. I am running a Nessus scan against the target system which sits on a hub on the other side of the bridge. The
Nessus scanner sits on a hub at the opposite side of the bridge.
Here is the Snort-inline command I used:
/opt/snort-inline/bin/snort-inline -Qc /opt/snort-inline/etc/ips.conf -l /var/log/snort-inline-ips
I turned the QUEUE back on in the iptables which breaks the bridge. When I use ALLOW instead of QUEUE, the bridge
passes packets just fine.
Here is what the console had to tell us:
Reading from iptables
Running in IDS mode
Log directory = /var/log/snort-inline-ips
Initializing Inline mode
--== Initializing Snort ==--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /opt/snort-inline/etc/ips.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Iptables NEW,RELATED mark is: (1)
Iptables ESTABLISHED mark is: (2)
Forcing stream4 to use iptables state
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Stream4_reassemble config:
Server reassembly: ACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
flush_data_diff_size: 500
Ports: 21 23 25 53 80 110 111 143 513 1433
Emergency Ports: 21 23 25 53 80 110 111 143 513 1433
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /opt/snort-inline/etc/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: YES
IIS Delimiter: YES alert: YES
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
database: compiled support for ( mysql )
database: configured to use mysql
database: user = someuser
database: password is set
database: database name = snort
database: host = localhost
database: sensor name = IPS
database: sensor id = 1
database: schema version = 106
database: using the "alert" facility
3 Snort rules read...
3 Option Chains linked into 3 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
building cached link layer reset packets
+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: ->activation->dynamic->drop->sdrop->reject->alert->pass->log
--== Initialization Complete ==--
*******************
snort_inline-2.2.0-RC1
*******************
a modification of ...
-*> Snort! <*-
Version 2.2.0 (Build 30)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
When I stop snort-inline, I get the following:
Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%0.186405)/blocks (19546/23) Overhead blocks: 1 Could Hold: (73326)
IPV4 count: 22 frees: 0 low_time: 1105274647, high_time: 1105274671, diff: 0h:00:24s
finds: 31 reversed: 0(%0.000000)
find_sucess: 9 find_fail: 22 percent_success: (%29.032258) new_flows: 22
Protocol: 1 (%32.258065) finds: 10 reversed: 0(%0.000000)
find_sucess: 9 find_fail: 1 percent_success: (%90.000000) new_flows: 1
Protocol: 6 (%64.516129) finds: 20 reversed: 0(%0.000000)
find_sucess: 0 find_fail: 20 percent_success: (%0.000000) new_flows: 20
Protocol: 17 (%3.225806) finds: 1 reversed: 0(%0.000000)
find_sucess: 0 find_fail: 1 percent_success: (%0.000000) new_flows: 1
database: Closing connection to database "c Protocol Command Decode"
Snort exiting
The syslog which I am logging to like this:
/usr/local/sbin/iptables -P FORWARD DROP
/usr/local/sbin/iptables -A FORWARD -j LOG --log-prefix "PRE QUEUE"
/usr/local/sbin/iptables -A FORWARD -p tcp --syn -m state --state NEW -j QUEUE
/usr/local/sbin/iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j QUEUE
/usr/local/sbin/iptables -A FORWARD -p udp -j QUEUE
/usr/local/sbin/iptables -A FORWARD -p icmp -j QUEUE
/usr/local/sbin/iptables -A FORWARD -j LOG --log-prefix "POST QUEUE"
Here is a sample of the syslog messages:
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=28 TOS=0x00 PREC=0x00 TTL=64
ID=54532 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=28 TOS=0x00 PREC=0x00 TTL=64
ID=54788 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=28 TOS=0x00 PREC=0x00 TTL=64
ID=55044 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=28 TOS=0x00 PREC=0x00 TTL=64
ID=55300 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=28 TOS=0x00 PREC=0x00 TTL=64
ID=55556 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=28 TOS=0x00 PREC=0x00 TTL=64
ID=55812 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=28 TOS=0x00 PREC=0x00 TTL=64
ID=56068 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=28 TOS=0x00 PREC=0x00 TTL=64
ID=56324 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=1
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=41 TOS=0x00 PREC=0x00 TTL=64
ID=3072 PROTO=TCP SPT=3133 DPT=4764 WINDOW=2048 RES=0x00 ACK URGP=0
POST QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=56.185.89.132 DST=56.185.89.130 LEN=41 TOS=0x00 PREC=0x00 TTL=64
ID=3072 PROTO=TCP SPT=3133 DPT=4764 WINDOW=2048 RES=0x00 ACK URGP=0
The only things that gets through the bridge now are the arp packets. Both machines on either side of the bridge see
the others MAC.
----- Original Message -----
From: Gould, Scott
To: mdpeters
Sent: Saturday, January 08, 2005 10:24 PM
Subject: RE: [Snort-users] QUEUE questions?
No prob.
Have your tried running snort_inline without the -d Flag, but using the verbose flag with console logging option.
Then run a nessus scan of the box on the other side of the ips. Do you see the alerts showing up in the running
snort_inline process?
Once you get this info, why don't you post the reply to the list, so we can see if the rest of the inline gang have
something to offerJ
------------------------------------------------------------------------------
From: mdpeters [mailto:michael.peters () lazarusalliance com]
Sent: Saturday, January 08, 2005 7:18 AM
To: Gould, Scott
Subject: Re: [Snort-users] QUEUE questions?
snort_inline-2.2.0a ./configure --with-mysql --with-openssl --enable-inline --enable-flexresp
Sorry about the name confusion. It was lost in transcription. This is the command used,
/opt/snort-inline/bin/snort-inline -Qc /opt/snort-inline/etc/ips.conf -l /var/log/snort-inline-ips -D
I run regular Snort on the same box as well.
----- Original Message -----
From: Gould, Scott
To: mdpeters
Sent: Friday, January 07, 2005 11:40 PM
Subject: RE: [Snort-users] QUEUE questions?
I notice your binary is names snort, rather than snort_inline.
Are you using a 2.3.0RCx build of snort? If so, did you compile snort using the -enable-inline flag when you ran
the configure script?
If your not using that build, what build or snort or snort_inline are you using?
----------------------------------------------------------------------------
From: mdpeters [mailto:michael.peters () lazarusalliance com]
Sent: Friday, January 07, 2005 10:48 PM
To: Gould, Scott
Subject: Re: [Snort-users] QUEUE questions?
Yes, like this: /opt/snort-inline/bin/snort -Qc /opt/snort-inline/etc/ips.conf -l /var/log/snort-inline-ips -D
----- Original Message -----
From: Gould, Scott
To: mdpeters
Sent: Friday, January 07, 2005 9:34 PM
Subject: RE: [Snort-users] QUEUE questions?
Are you running snort_inline with the -Q flag?
--------------------------------------------------------------------------
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of
mdpeters
Sent: Friday, January 07, 2005 5:00 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] QUEUE questions?
I have set up a transparent bridge using Fedora Core 2. The only thing that passes through is arp messages. I
have a Nessus scanner on a hub at one side of the bridge and the target system on a hub at the other side of the
bridge. I will get only two line entries in syslog.
These are the iptable rules.
/usr/local/sbin/iptables -P FORWARD DROP
/usr/local/sbin/iptables -A FORWARD -j LOG --log-prefix "PRE QUEUE"
/usr/local/sbin/iptables -A FORWARD -p tcp --syn -m state --state NEW -j QUEUE
/usr/local/sbin/iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j QUEUE
/usr/local/sbin/iptables -A FORWARD -p udp -j QUEUE
/usr/local/sbin/iptables -A FORWARD -p icmp -j QUEUE
/usr/local/sbin/iptables -A FORWARD -j LOG --log-prefix "POST QUEUE"
This is the output.
PRE QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=69.16.185.132 DST=69.16.185.130 LEN=41 TOS=0x00 PREC=0x00
TTL=64 ID=3072 PROTO=TCP SPT=3133 DPT=49550 WINDOW=2048 RES=0x00 ACK URGP=0
POST QUEUEIN=br0 OUT=br0 PHYSIN=eth2 PHYSOUT=eth1 SRC=69.16.185.132 DST=69.16.185.130 LEN=41 TOS=0x00 PREC=0x00
TTL=64 ID=3072 PROTO=TCP SPT=3133 DPT=49550 WINDOW=2048 RES=0x00 ACK URGP=0
I understand that the QUEUE target will never return a packet to the system unless the userspace program has
processed the packet, so it appears that snort-inline is turned off or broken. Since I know that Snort-inline is
running, does anyone have an idea about what would be causing the problem?
Thanks,
Michael
Current thread:
- QUEUE questions? mdpeters (Jan 07)
- <Possible follow-ups>
- Re: QUEUE questions? mdpeters (Jan 09)