Snort mailing list archives
Re: What to do?
From: "Ellad G. Yatsko" <eyatsko () ngs ru>
Date: Fri, 22 Nov 2013 16:22:05 +0400
Hello! I compiled again.. :-( To restore step-by-step procedure... :-( As usual afpacket hangs interfaces... :-( Ubuntu 12.04.1 amd64 (under VMWare ESXi 5.2) is from scratch. apt-get -y install build-essential libpcap0.8-dev libmysqlclient15-dev mysql-server libc6-dev g++ gcc pcregrep libpcre3-dev iptables-dev bison flex tshark cd/usr/src/libdnet-1.12/ ./configure "CFLAGS=-fPIC -g -O2" make make install cd /usr/src/daq-2.0.1/ ./configure make make install cd /usr/src/snort-2.9.5.6/ ./configure --enable-gre --enable-reload --enable-linux-smp-stats --enable-zlib --enable-active-response --enable-react --enable-flexresp3 make make install ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1 ln -s /usr/local/lib/snort_dynamicpreprocessor /usr/lib/snort_dynamicpreprocessor ln -s /usr/local/lib/snort_dynamicengine /usr/lib/snort_dynamicengine Then I got init.d script from neighbor Virtual Machine where I had done apt-get install snort a minute ago and /etc/snort folder with all its content. scp eyatsko@80.x.x.x:/etc/init.d/snort /etc/init.d/snort scp -r eyatsko@80.x.x.x:/etc/snort /etc/ chown root:root /etc/init.d/snort chown -R root:root /etc/snort Then I updated /etc/snort/snort.conf: . . . # Setup the network addresses you are protecting ipvar HOME_NET 192.168.0.0/24 # Set up the external network addresses. Leave as "any" in most situations #ipvar EXTERNAL_NET any ipvar EXTERNAL_NET !$HOME_NET . . . ...and started snort: snort -Q -v -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf It got three bootp packets and hangs interfaces. As I can observe such behaviour of Snort does not depend on - Snort Version; - Operation system/OS version; - The way through Snort is installed; - Rule set (I commented all include $RULE_PATH/* lines except local.rules, which was empty). What could explain this situation? Kind regard, Ellad Yatsko
I have checked something. I re-installed OS - changed it on Debian 7.2.0 x86 (Ubuntu 12.04.1 was amd64) and Snort. Snort, again, is of version 2.9.2 (if to be more accurate: 2.9.2.2). All is much the same! It "hangs" interfaces after several tens of packets and until several minutes passed after Snort execution break down. What could it be? I have already mentioned that I compiled Snort from sources. Afpacket behaves similarly. Anybody help me!... :-)We have Ubuntu Server 12.04.1 LTS with snort 2.9.2 - both installed from scratch. Snort 2.9.2 distribution is native for this Ubuntu Release. ~# snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv ~# Snort config and rule set both are default they come with distribution (apt-get install ...) IPTables has its default configuration: ~# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ~# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination ~# I tried to put some traffic into QUEUE by command like: iptables -A INPUT -p udp -j QUQUE, but it has no effect relative to my main problem. I found just few cases in Internet when Snort have been started in inline mode. And they do not abound in examples how to set up IPTables in conjunction to Snort... :-( And, moreover, all of them differ depending on Snort version. After starting Snort via command-line: ~# snort -Q -vv -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf Snort received some tens of packets (mainly my SSH session to server with Snort), both interfaces eth0 and eth1 become unavailable from outside (i. e. from ipvar EXTERNAL_NET !$HOME_NET ), but I still can ping them from server's console. Go further. When I tried to ping something out the server's interfaces this also has no result. Nothing is accessible via monitored interfaces. When I break the program execution interfaces from outside and external destinations from inside continue to be inaccessible for some time (several minutes). Now I have two more or less clear dilemmas: - how to start Snort in inline mode and to avoid it hang up (main problem); - how to set up IPTables if it needed to daq. Future plan relative to Snort supposes to analyze and drop excessive SIP-traffic ONLY (methods: REGISTER and INVITE) from certain IPs. For example if there are many registrations per second (per ten of seconds - no matter). Such traffic patter must be "isolated" from SIP-registrar. And the same history is for INVITES. Ideally, it would be perfect if Snort can add rules to IPTables to block "rougue traffic" permanently! :-) As a rule (by my own observations) "bad guys" sit always at the same IP addresses. Please, help... :-)
------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- What to do? Ellad G. Yatsko (Nov 21)
- Re: What to do? James Lay (Nov 21)
- Re: What to do? Ellad G. Yatsko (Nov 21)
- Re: What to do? James Lay (Nov 22)
- Re: What to do? Ellad G. Yatsko (Nov 22)
- Re: What to do? Ellad G. Yatsko (Nov 21)
- Re: What to do? James Lay (Nov 21)
- Re: What to do? Ellad G. Yatsko (Nov 21)
- Re: What to do? Ellad G. Yatsko (Nov 22)
- Is it a bug? Ellad G. Yatsko (Nov 24)
- Re: Is it a bug? Russ Combs (Dec 02)
- Re: What to do? Ellad G. Yatsko (Nov 22)