Snort with NFQUEUE allows everything (even unopened ports)

[Amm Snort <ammdispose-snort () yahoo com>]

Hello all,


I have setup snort with DAQ NFQUEUE.

My problem is inspite of firewall rule to block all ports, system starts allowing ALL THE PORTS.

Without SNORT/NFQUEUE, blocking happens perfectly fine.


So either I am making a STUPID mistake (I hope so) otherwise there is a serious SECURITY issue.


System:
Fedora 16 (64 bit)
Snort version 2.9.2.2 (compiled from src rpm at http://www.snort.org/snort-downloads)

Daq version 0.6.2 (compiled from src rpm at http://www.snort.org/snort-downloads with NFQ enabled)


snort.conf summary:


#monitor connection to LAN and DSL IP (dynamic)

ipvar HOME_NET [192.168.1.0/24,1.2.0.0/16]


config daq: nfq
config daq_mode: inline
config daq_dir: /usr/lib64/daq


Command line:


snort  -A fast -b -d -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

(no interface specified, -Q not needed as config daq_mode set to inline)


Rule File: (just one rule for testing)


alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP 
Hydra Activity Detected"; flow:to_server,established; content:"hydra"; 
nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; 
reference:url,www.thc.org/releases.php; classtype:misc-attack; 
sid:100000167; rev:1;)

IPTABLES:

iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
iptables -I OUTPUT 1 -p tcp -o ppp1 -j NFQUEUE


(rule triggers alert on sending "EHLO hydra" - hence setup seems to be running fine)



Now THE SERIOUS PROBLEM:

As shown below, my iptables INPUT chain allows connection ONLY on port 22.

1) iptables -nvL INPUT (on snort system)


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  274  146K NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
    0     0 ACCEPT     tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
17344  816K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with 
icmp-host-prohibited


2) telnet 1.2.3.4 25 (from some remote machine)


Trying to connect to port 25 of SNORT machine from some remote machine.


Trying 1.2.3.4...
Connected to XXXXX.
Escape character is '^]'.
220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:17:42 +0530
 >>>> How did it connect to port 25???
ehlo hydra....

3) tail -1 /var/log/snort/alert

03/30-23:17:46.056165  [**] [1:100000167:1] GPL SMTP SMTP Hydra Activity Detected [**] [Classification: Misc Attack] 
[Priority: 2] {TCP} 2.2.2.2:35256 -> 1.2.3.4:25

(which means snort detected the hydra activity as expected)


4) iptables -D INPUT 1 -p tcp -i ppp1 -j NFQUEUE

Delete the NFQUEUE rule. i.e. disable SNORT inspection


5) telnet 1.2.3.4 25 (try again)


Trying 1.2.3.4 ...
telnet: connect to address 1.2.3.4: No route to host


> > > Blocked (packet rejected) just as expected after removing snort NFQUEUE rule

6) Add rule again with one additional DROP rule for port 25
iptables -I INPUT 1 -p tcp -i ppp1 -j NFQUEUE
iptables -I INPUT 2 -p tcp -i ppp1 --dport 25 -j DROP


a) iptables -nvL INPUT


 pkts bytes target     prot opt in     out     source               destination         
   29  3660 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
    0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25


Now try to connect again:

telnet 1.2.3.4 25

Trying 1.2.3.4...
Connected to XXXXX.
Escape character is '^]'.
220 XXXX ESMTP Sendmail; Fri, 30 Mar 2012 23:32:17 +0530


> > > WHAT?!! Started accepting connection again!!!!


b) iptables -nvL INPUT


 pkts bytes target     prot opt in     out     source               destination         
   72  7982 NFQUEUE    tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            NFQUEUE num 0
    0     0 DROP       tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25

> > > Notice that DROP counter has not increased at all, which means Snort/NFQUEUE is ALLOWING the packet instead of 
> > > proceeding to next rule (which is DROP rule)


c) Port Scan

nmap -n 1.2.3.4

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on  (1.2.3.4):
(The 1590 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
25/tcp     open        smtp                    
80/tcp     open        http                    
111/tcp    open        sunrpc                  
135/tcp    filtered    loc-srv                 
137/tcp    filtered    netbios-ns              
139/tcp    filtered    netbios-ssn             
443/tcp    open        https                   
445/tcp    filtered    microsoft-ds            
3128/tcp   open        squid-http


> > > EVERYTHING is OPEN!!! 

d) Delete NFQUEUE rule and try to connect again:


iptables -D INPUT -p tcp -i ppp1  -j NFQUEUE

telnet 1.2.3.4 25

Trying 1.2.3.4...

Nothing happens due to DROP rule (as expected)


d) iptables -nvL INPUT (check packet COUNTER)

 pkts bytes target     prot opt in     out     source               destination         
    2   120 DROP       tcp  --  ppp1   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25


> > > DROP Counter increased once the NFQUEUE rule is deleted




So inshort NFQUEUE or Snort is ALLOWING the packet directly instead of letting it pass to next iptables rule.


Is there something I missed or there is really something wrong with SNORT/NFQUEUE?



Please correct me.

Thank you,


Amm

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!