Snort mailing list archives
Problem with iptables
From: "Stacker Hush" <stackerhush () gmail com>
Date: Sat, 14 Nov 2009 16:34:01 -0200
Hello to all, I'm trying to use snort with ossec to block ultrasurf access from internal users of my lan. My server have this configuration: eth0: 192.168.1.254 (external) eth1: 10.1.1.254 (internal) I'm running snort version 2.8.5.1 and iptables version 1.4.4. My default policy are set to drop. I'm using an external dns. With iptables disabled (all accept) without rules activated snort detect ultrasurf fine and the internal ip of client are blocked by ossec. The rule i'm using is this (from emergingthreats.net):
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:policy-violation; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY /POLICY_Ultrasurf; sid:2008533; rev:3;)
I'm using nat this rule: iptables -A POSTROUTING -t nat -j SNAT --to-source 192.168.91.131 -s 10.1.1.1/24 -o eth0 When i enable the firewall the snort stop to detect the ultrasurf connection and the traffic pass with no problems. With snort i have: var HOME_NET 10.1.1.0/24 var EXTERNAL_NET any Some Idea to solve this problem? Very thanks to all, Stacker ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with iptables Stacker Hush (Nov 14)