Snort mailing list archives

Re: question policy default snort

From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 5 Apr 2010 07:09:31 -0400

After setup I tried to access via terminal service but the connection
does not work. I did the command "tail-f" in file alert and nothing and
there is some political pattern generated snort to block traffic that
does not match?


Generally speaking, if Snort's not generating any alerts, it's not going to
be the source of the problem - especially since a default, out-of-the box
installation of Snort is typically very quick to generate alerts. Though,
just to be sure - I see in your command above that you have no spaces
between "tail" and "-f" (it should be "tail -f"), which would cause "tail"
to fail. That's just a typo here on the list, right?

As far as Snort blocking traffic that *does not* match, no, it doesn't do
anything with a packet if it doesn't match - it just lets it pass through.

Have you successfully sent traffic through this setup without Snort? It's
possible some other part of your bridge setup is improperly configured.

On Mon, Apr 5, 2010 at 12:47 AM, Ricardo Barbosa <
ricardobarbosams () yahoo com br> wrote:

Hi,

I set up a firewall with snort inline bridge mode and am using the
following configuration and firewall rule for level
test.

---- snort.conf -----
var HOME_NET [192.168.1.0/24]
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
portvar HTTP_PORTS 80
portvar SHELLCODE_PORTS !80
portvar ORACLE_PORTS 1521
var AIM_SERVERS
[
64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,2

05.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24
]
var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
config disable_ipopt_alerts
config enable_decode_oversized_alerts
config enable_decode_oversized_drops
dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
                             track_udp no
preprocessor stream5_tcp: policy first, use_static_footprint_sizes
preprocessor http_inspect: global \
   iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
   profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor ftp_telnet: global \
  encrypted_traffic yes \
  inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
  normalize \
  ayt_attack_thresh 200
preprocessor ftp_telnet_protocol: ftp server default \
  def_max_param_len 100 \
  alt_max_param_len 200 { CWD } \
  cmd_validity MODE < char ASBCZ > \
  cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
  chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
  telnet_cmds yes \
  data_chan
preprocessor ftp_telnet_protocol: ftp client default \
  max_resp_len 256 \
  bounce yes \
  telnet_cmds yes
preprocessor smtp: \
 ports { 25 587 691 } \
 inspection_type stateful \
 normalize cmds \
 normalize_cmds { EXPN VRFY RCPT } \
 alt_max_command_line_len 260 { MAIL } \
 alt_max_command_line_len 300 { RCPT } \
 alt_max_command_line_len 500 { HELP HELO ETRN } \
 alt_max_command_line_len 255 { EXPN VRFY }
preprocessor sfportscan: proto  { all } \
                        memcap { 10000000 } \
                        sense_level { low }
preprocessor dcerpc2
preprocessor dcerpc2_server: default
preprocessor dns: \
   ports { 53 } \
   enable_rdata_overflow
preprocessor ssl: noinspect_encrypted, trustservers
output alert_syslog: log_local7 log_debug
output log_tcpdump: tcpdump.log
include classification.config
include reference.config
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/community-exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/community-dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/community-sql-injection.rules
include $RULE_PATH/community-web-client.rules
include $RULE_PATH/community-web-dos.rules
include $RULE_PATH/community-web-iis.rules
include $RULE_PATH/community-web-misc.rules
include $RULE_PATH/community-web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/community-ftp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/community-smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/community-imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/community-sip.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/community-virus.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/users.rules
include threshold.conf

--- iptables rules ----
iptables -t filter -I FORWARD -j QUEUE

The firewall is in bridge mode. I mounted the bridge using the following
commands.

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
ifconfig eth0 arp
ifconfig eth1 arp
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
Regards.





__________________________________________________
Faça ligações para outros computadores com o novo Yahoo! Messenger
http://br.beta.messenger.yahoo.com/



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

question policy default snort Ricardo Barbosa (Apr 04)
- Re: question policy default snort Alex Kirk (Apr 05)