Snort mailing list archives

Help with inline setup

From: Andrea Cerrito <is () gentestrana net>
Date: Wed, 25 Apr 2012 21:22:31 +0200

Hi list,

I'm trying to deploy Snort as an active IDS for a web application running under https.

To accomplish this, in my test machine I've setup this scenario:

Linux box with 2 ethernet interfaces:
eth0 public ip
eth1 private ip

On eth0 i'm running Apache as a reverse-proxy to convert the incoming traffic to http instead https. The redirect is 
running from the public ip to the private ip.
On eth1 I'm running Apache with the real web application.
This part is working fine. The application is running without problems.

On the same machine, I'm try to run Snort to catch the traffic.

The alarms are working fine: I've tested some custom rules and they are ok.
The problem is when I'd like to drop packet: this is just not working.

Sniffing traffic, I've seen the http traffic to inspect running just on lo :-|
Due to this, this is my firewall setup for snort:

iptables -I INPUT -i lo -j NFQUEUE
iptables -A OUTPUT -o lo -j NFQUEUE

And it's working, because without running Snort, I cannot use the web application.
Running snort, it permits to access the web application:

 snort -c snort.conf --daq nfq --daq-mode inline --daq-var device=lo -A full

The rule I'm testing is this one:

alert tcp any any -> any 80 (msg:" TEST OK! "; sid:1000000; rev:1;)

And the alert is triggered without problem:

[**] [1:1000000:1]  TEST OK!  [**]
[Priority: 0] 
04/25-21:18:15.809531 INTERNAL_IP:59174 -> INTERNAL_IP:80
TCP TTL:64 TOS:0x0 ID:60074 IpLen:20 DgmLen:52 DF
***A***F Seq: 0xEDA2396B  Ack: 0xF38AE448  Win: 0x181  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1039782 1039519 

If i modify the rule from alert to drop or block, nothing happens.

Any clue?

Thanks

Andrea Cerrito






------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Help with inline setup Andrea Cerrito (Apr 25)
- Re: Help with inline setup Simon Blixt (Apr 26)
  - Re: Help with inline setup Andrea Cerrito (Apr 26)