Re: Help with inline setup

[Andrea Cerrito <is () gentestrana net>]

Thanks for the reply!

In this way, the Snort is on another machine: the problem is that I'd like to run Snort on the same machine.
And in this configuration, I've to use the NFQ DAQ (instead of afpacket) because the traffic is on just one interface 
(lo).

Anyway, can you point to me how to realize the IPS in your configuration?

Thanks

Il giorno 26/apr/2012, alle ore 14:30, Simon Blixt ha scritto:

> Hi,
>
> I'm copying Lysemose's answer to me when I asked a kinda relevant question like yours, hopes it's helpful:
> <quote from Lysemose>
> You need to  decide whether you want to run Snort as IDS or IPS. IDS is pure information gathering and with IPS you 
> can make the Snort engine block traffic/packets. You shouldn't provide the monitoring interface with an IP. 
> IDS
> You need to set your monitor interface to promiscuous mode and the port it is connected to on the switch needs to be 
> set to span/mirroring.
> If you're going this way I can really recommend NIDS distro called SecurityOnion,http://securityonion.blogspot.com.
> IPS
> You need 3 interfaces, one for management and two for the bridge which Snort will create for you. Your interfaces 
> needs to be set to promiscuous mode too. 
> To the command you need to add -Q (run in inline mode) and -i eth1:eth2 (adds the interface pair on which Snort 
> creates the bridge)
> </end of quote>
>
>
> Yours,
> Blixten
>
>
> > From: is () gentestrana net
> > Date: Wed, 25 Apr 2012 21:22:31 +0200
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] Help with inline setup
> >
> > Hi list,
> >
> > I'm trying to deploy Snort as an active IDS for a web application running under https.
> >
> > To accomplish this, in my test machine I've setup this scenario:
> >
> > Linux box with 2 ethernet interfaces:
> > eth0 public ip
> > eth1 private ip
> >
> > On eth0 i'm running Apache as a reverse-proxy to convert the incoming traffic to http instead https. The redirect 
> > is running from the public ip to the private ip.
> > On eth1 I'm running Apache with the real web application.
> > This part is working fine. The application is running without problems.
> >
> > On the same machine, I'm try to run Snort to catch the traffic.
> >
> > The alarms are working fine: I've tested some custom rules and they are ok.
> > The problem is when I'd like to drop packet: this is just not working.
> >
> > Sniffing traffic, I've seen the http traffic to inspect running just on lo :-|
> > Due to this, this is my firewall setup for snort:
> >
> > iptables -I INPUT -i lo -j NFQUEUE
> > iptables -A OUTPUT -o lo -j NFQUEUE
> >
> > And it's working, because without running Snort, I cannot use the web application.
> > Running snort, it permits to access the web application:
> >
> > snort -c snort.conf --daq nfq --daq-mode inline --daq-var device=lo -A full
> >
> > The rule I'm testing is this one:
> >
> > alert tcp any any -> any 80 (msg:" TEST OK! "; sid:1000000; rev:1;)
> >
> > And the alert is triggered without problem:
> >
> > [**] [1:1000000:1] TEST OK! [**]
> > [Priority: 0] 
> > 04/25-21:18:15.809531 INTERNAL_IP:59174 -> INTERNAL_IP:80
> > TCP TTL:64 TOS:0x0 ID:60074 IpLen:20 DgmLen:52 DF
> > ***A***F Seq: 0xEDA2396B Ack: 0xF38AE448 Win: 0x181 TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 1039782 1039519 
> >
> > If i modify the rule from alert to drop or block, nothing happens.
> >
> > Any clue?
> >
> > Thanks
> >
> > Andrea Cerrito
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and 
> > threat landscape has changed and how IT managers can respond. Discussions 
> > will include endpoint security, mobile security and the latest in malware 
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!