Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Newbie question: reject rule for IPv6

From: K b <urbestfriend () gmail com>
Date: Mon, 12 Dec 2011 12:24:25 +0530
Just to add some more info.

I tried ipq too without any success. But If I run my web server on an
IPv4 address and run snort in ip4 mode, I see that request gets
blocked.
I am wondering whether I have missed some step for Ipv6 or do I need
to change the rule for IPv6?




On Sun, Dec 11, 2011 at 4:09 PM, K b <urbestfriend () gmail com> wrote:

JJ,

I am using following command to start snort.

snort -c  /etc/snort.conf -N -D

Also I have set following parameters in snort.conf.

config daq: nfq
config daq_mode: inline
config daq_var: proto=ip6
config daq_dir:<dir>

Note that I have built both daq and snort with --ipv6-enabled option.

My ip6table:

-A INPUT -d <ip_address>/128 -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 0

The setup  works fine as I am seeing alerts getting logged when I send
a http request with URI contains "snort-test", but unfortunately the
request is not getting rejected ( No ICMP6 unreachable ) as it
should've been and request is going through.

In fact I tried 'drop' too , without any success. Can someone point
out the code where ICMP unreachable is sent ? I tried to debug daq and
always verdict to NFQUEUE is set as NF_ACCEPT.

Thanks for the response.

Regards,
Kumar


On Sat, Dec 10, 2011 at 9:16 PM, JJ Cummings <cummingsj () gmail com> wrote:

What does your iptables look like and what is your snort startup command line? Also, use drop, not reject.

Sent from the iRoad

On Dec 9, 2011, at 5:48, K b <urbestfriend () gmail com> wrote:


Hello,

A newbie here and I was trying to setup snort inline with NFQ for IPv6
services.  Just for testing I have added the following reject rule.

reject tcp any any -> any 80 (classtype:attempted-user;
msg:"Snort_test"; content:"snort-test"; sid:9000001; rev:1;)

Now If I send a traffic with the above content, I see that alerts are
getting generated but this requests is not being reset as expected.

I am running snort 2.9.1.2, my snort.conf is unchanged. What am I doing wrong?

Have a good day.

Thanks and regards,
Kumar

------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: