Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Problem with iptables

From: "Stacker Hush" <stackerhush () gmail com>
Date: Sat, 14 Nov 2009 16:34:01 -0200
Hello to all,

I'm trying to use snort with ossec to block ultrasurf access from internal
users of my lan.

My server have this configuration:
eth0: 192.168.1.254 (external)
eth1: 10.1.1.254 (internal)

I'm running snort version 2.8.5.1 and iptables version 1.4.4. My default
policy are set to drop. I'm using an external dns.

With iptables disabled (all accept) without rules activated snort detect
ultrasurf fine and the internal ip of client are blocked by ossec.
The rule i'm using is this (from emergingthreats.net):


alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible 
External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; 
classtype:policy-violation; threshold:type limit, track by_src,count 
1, seconds 60; reference:url,doc.emergingthreats.net/2008533; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY
/POLICY_Ultrasurf; sid:2008533; rev:3;)



I'm using nat this rule: iptables  -A POSTROUTING -t nat -j SNAT --to-source
192.168.91.131 -s 10.1.1.1/24 -o eth0

When i enable the firewall the snort stop to detect the ultrasurf connection
and the traffic pass with no problems.

With snort i have:
var HOME_NET 10.1.1.0/24
var EXTERNAL_NET any

Some Idea to solve this problem?

Very thanks to all,

Stacker



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: