RE: Inline and stream 4

["Pieter Vanmeerbeek" <pieter.vanmeerbeek () able be>]

Hi,

As indicated in my previous post we were only sending incoming traffic from
the Internet and DMZ devices through snort. 

Following your advise I tried to route all traffic through snort, this is
our setup


INT -- Server with snort -- LAN
        


I created a jump to QUEUE in iptables in the output, forward and input
table, in other words all combination .

However from the moment a jump in the output table is set, it isn't possible
to make connections, I tested this with an ssh session from the LAN  to the
server and a session from the server to the LAN.

I debugged the last one, running snort with the -v option shows me that
packets are sent to snort as they are logged, however dumping on the secure
lan device of the server shows no packets. Disabling the jump to the QUEUE
statement solves the problem. For some reason a ping to the lan and to the
server seem to work, so I don't think everything is blocked. 

I can't seem to find the problem as no alerts are shown. I tried removing
all rules and even all preproccessors from the snort.conf file but still the
same problem. I set the home_net variable to the secure lan IP address and
internet IP address. I used the default snort.conf file with http_inspect
disabled and the stream4 midstream_drop_alerts option on. All rules are set
to drop, but as the problem still exists without any rules in the snort.conf
I don't think a problem exists there.

Is there anything else I can disable/enable to see something more? I even
tried a small program that reads its input from the QUEUE user land end
which just passes its input on. Using this program everything seems to work.



Kind regards,
Pieter




-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Pieter
Vanmeerbeek
Sent: donderdag 13 april 2006 12:20
To: snort-users () lists sourceforge net
Subject: [Snort-users] Inline and stream 4

Hi

I've got a question on a stream 4 configuration. This is our setup: 

All traffic from internet and dmz is routed to snort using iptables QUEUE
statement. All traffic from our router itself and all traffic from the
secure LAN is NOT routed to snort. We are using the upgradeable rule set
with all rules set to drop to have an IPS system

This worked fine, however sometimes connections were dropped without
alerting. After some research I found out that it is the stream4
preprocessor who was doing this. Adding the midstream_drop_alerts parameter
solves the problem however may expose us to snot & stick attacks.

2 questions about this:
 
1. I thought a snot & stick attack was designed to bury a hacking attempt
between other useless attacks and therefore obscure the logging and possible
recognition. But in an IPS system the attack itself is logged and also
blocked. So I do not understand why this is may be a problem?

2. Apparently the problem of question 1 is not an issue if the inline_state
parameter is set. However as we do not send all traffic through snort this
will probably cause a lot of packages to be dropped? Even more general, is
there a possible state problem when only traffic from internet/dmz is routed
to snort? In other words would some rules match due to a state problem?


Kind regards,
Pieter



--
---------------------------------------------------
aXs GUARD Training Center 
more info at http://www.axsguard.com/indextraining.htm

aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
---------------------------------------------------
aXs GUARD Training Center 
more info at http://www.axsguard.com/indextraining.htm

aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users