Re: Help with inline setup

[Simon Blixt <blixten_496 () hotmail com>]

Hi,

I'm copying Lysemose's answer to me when I asked a kinda relevant question like yours, hopes it's helpful:
<quote from Lysemose>
You need to  decide whether you want to run Snort as IDS or IPS. IDS is 
pure information gathering and with IPS you can make the Snort engine 
block traffic/packets. You shouldn't provide the monitoring interface 
with an IP. 
IDS

You need to set your monitor interface to promiscuous mode and the port 
it is connected to on the switch needs to be set to span/mirroring.

If you're going this way I can really recommend NIDS distro called SecurityOnion, http://securityonion.blogspot.com.
IPS

You need 3 interfaces, one for management and two for the bridge which 
Snort will create for you. Your interfaces needs to be set to 
promiscuous mode too. 
To the command you need to add -Q (run in inline mode) and -i 
eth1:eth2 (adds the interface pair on which Snort creates the bridge)</end of quote>
Yours,Blixten

> From: is () gentestrana net
> Date: Wed, 25 Apr 2012 21:22:31 +0200
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Help with inline setup
>
> Hi list,
>
> I'm trying to deploy Snort as an active IDS for a web application running under https.
>
> To accomplish this, in my test machine I've setup this scenario:
>
> Linux box with 2 ethernet interfaces:
> eth0 public ip
> eth1 private ip
>
> On eth0 i'm running Apache as a reverse-proxy to convert the incoming traffic to http instead https. The redirect is 
> running from the public ip to the private ip.
> On eth1 I'm running Apache with the real web application.
> This part is working fine. The application is running without problems.
>
> On the same machine, I'm try to run Snort to catch the traffic.
>
> The alarms are working fine: I've tested some custom rules and they are ok.
> The problem is when I'd like to drop packet: this is just not working.
>
> Sniffing traffic, I've seen the http traffic to inspect running just on lo :-|
> Due to this, this is my firewall setup for snort:
>
> iptables -I INPUT -i lo -j NFQUEUE
> iptables -A OUTPUT -o lo -j NFQUEUE
>
> And it's working, because without running Snort, I cannot use the web application.
> Running snort, it permits to access the web application:
>
>  snort -c snort.conf --daq nfq --daq-mode inline --daq-var device=lo -A full
>
> The rule I'm testing is this one:
>
> alert tcp any any -> any 80 (msg:" TEST OK! "; sid:1000000; rev:1;)
>
> And the alert is triggered without problem:
>
> [**] [1:1000000:1]  TEST OK!  [**]
> [Priority: 0] 
> 04/25-21:18:15.809531 INTERNAL_IP:59174 -> INTERNAL_IP:80
> TCP TTL:64 TOS:0x0 ID:60074 IpLen:20 DgmLen:52 DF
> ***A***F Seq: 0xEDA2396B  Ack: 0xF38AE448  Win: 0x181  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 1039782 1039519 
>
> If i modify the rule from alert to drop or block, nothing happens.
>
> Any clue?
>
> Thanks
>
> Andrea Cerrito
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!