Re: Handling firewall rejected packets in SNort IPS

[waldo kitty <wkitty42 () windstream net>]

On 5/19/2013 08:32, VES Education wrote:
> Thanks for the reply.
>
> point 1
>
> "what you really want is to force/ensure that the jmptosnort rule is at the top
> of the chain so that it is entered first and then anything that passes snort
> will come back to traverse the rest of the rules..."

i do hope that james' correction to my original post was noted... i forgot to 
flip the -A examples :(

> Would it result in performance loss as packet is coming to layer 2 then layer 7
> then again layer 2 then layer 7 for actual application.

you have to go thru the queue to get to snort any way you go... if you don't 
then snort will never see it... this is what you were speaking of in your 
original post... you wanted to ensure that snort saw all packets so that it 
could at least report them...

> If packet is allowed by Snort I am not sure how it will come back to firewall again.

ahhh... my mind went into "strict" iptables mode where packets traverse from one 
table to another table and then they return back to the original table unless 
otherwise diverted (dropped or passed directly)...

i'm hoping that others will jump in and contribute in answering your question...

> It seems to be tricky thing. Would you mind you to clarify.

i might be steering you wrong and/or confusing you... if so, i apologize...

> Thanks,
> B.Vijayakumar Athithan
>
>
> --- On *Fri, 17/5/13, waldo kitty /<wkitty42 () windstream net>/* wrote:
>
>
>     From: waldo kitty <wkitty42 () windstream net>
>     Subject: Re: [Snort-users] Handling firewall rejected packets in SNort IPS
>     To: snort-users () lists sourceforge net
>     Date: Friday, 17 May, 2013, 1:56 PM
>
>     On 5/17/2013 02:54, VES Education wrote:
>      > Hi,
>      >
>      > This is very basic qtn on Snort IPS. Over last few days,I couldn't find
>     answer
>      > on net. Our intention is find packet flow in our application.
>
>     it would seem to be pretty basic, but i'm not so sure about that ;)
>
>      > We would like to use Snort IPS( Currently we use Snort IDS). If we go for
>     inline
>      > mode, whether all incoming packets would be placed in NF queue by firewall.
>      > Suppose a packet is getting rejected in firewall layer how Snort IPS will
>     come
>      > to know it.
>      >
>      > As per current my understanding, if a packet is rejected in firewall, it will
>      > not go to SNort IPS. Hence IDS feature is missing in Snort IPS mode.
>
>     this depends on where, in your firewall routing rules, you inject the rule to
>     send the traffic to snort...
>
>     consider a firewall script that starts off as
>
>
>     iptables -A Input jmptosnort
>     iptables -A Input jmptogood
>
>     OR
>
>     iptables -I Input jmptosnort
>     iptables -I Input jmptogood
>
>
>     in both cases, the actual ordering is not going to be what you expect it to
>     be... jmptosnort will be last in line and everything else will be acted on
>     first...
>
>     what you really want is to force/ensure that the jmptosnort rule is at the top
>     of the chain so that it is entered first and then anything that passes snort
>     will come back to traverse the rest of the rules...
>
>     NOTE: yes, this is a very simplistic and incomplete example... there's a reason
>     for that ;) O:)
>
>      > That means we need to use both Snort IDS mode and inline mode. Is that
>     possible
>      > to run two instances of snort in different modes in same machine.
>
>     you don't need to do this if you get your firewall rules in the proper order ;)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!