Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What to do?

From: "Ellad G. Yatsko" <eyatsko () ngs ru>
Date: Fri, 22 Nov 2013 16:22:05 +0400
Hello!

I compiled again.. :-( To restore step-by-step procedure... :-( As usual 
afpacket hangs interfaces... :-(
Ubuntu 12.04.1 amd64 (under VMWare ESXi 5.2) is from scratch.

apt-get -y install build-essential libpcap0.8-dev libmysqlclient15-dev 
mysql-server libc6-dev g++ gcc pcregrep libpcre3-dev iptables-dev bison 
flex tshark

cd/usr/src/libdnet-1.12/
./configure "CFLAGS=-fPIC -g -O2"
make
make install

cd /usr/src/daq-2.0.1/
./configure
make
make install

cd /usr/src/snort-2.9.5.6/
./configure --enable-gre --enable-reload --enable-linux-smp-stats 
--enable-zlib --enable-active-response --enable-react --enable-flexresp3
make
make install

ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
ln -s /usr/local/lib/snort_dynamicpreprocessor 
/usr/lib/snort_dynamicpreprocessor
ln -s /usr/local/lib/snort_dynamicengine /usr/lib/snort_dynamicengine

Then I got init.d script from neighbor Virtual Machine where I had done 
apt-get install snort a minute ago and /etc/snort folder with all its 
content.

scp eyatsko@80.x.x.x:/etc/init.d/snort /etc/init.d/snort
scp -r eyatsko@80.x.x.x:/etc/snort /etc/
chown root:root /etc/init.d/snort
chown -R root:root /etc/snort

Then I updated /etc/snort/snort.conf:
. . .
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.0.0/24

# Set up the external network addresses. Leave as "any" in most situations
#ipvar EXTERNAL_NET any
ipvar EXTERNAL_NET !$HOME_NET
. . .

...and started snort:
snort -Q -v -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf

It got three bootp packets and hangs interfaces.

As I can observe such behaviour of Snort does not depend on
- Snort Version;
- Operation system/OS version;
- The way through Snort is installed;
- Rule set (I commented all include $RULE_PATH/* lines except 
local.rules, which was empty).

What could explain this situation?

Kind regard,
Ellad Yatsko


I have checked something. I re-installed OS - changed it on Debian 7.2.0
x86 (Ubuntu 12.04.1 was amd64) and Snort. Snort, again, is of version
2.9.2 (if to be more accurate: 2.9.2.2).
All is much the same! It "hangs" interfaces after several tens of
packets and until several minutes passed after Snort execution break down.

What could it be? I have already mentioned that I compiled Snort from
sources. Afpacket behaves similarly.

Anybody help me!... :-)



We have Ubuntu Server 12.04.1 LTS with snort 2.9.2 - both installed from
scratch. Snort 2.9.2 distribution is native for this Ubuntu Release.

~# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
~#

Snort config and rule set both are default they come with distribution
(apt-get install ...)

IPTables has its default configuration:
~# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
~# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
~#
I tried to put some traffic into QUEUE by command like: iptables -A
INPUT -p udp -j QUQUE, but it has no effect relative to my main problem.
I found just few cases in Internet when Snort have been started in
inline mode. And they do not abound in examples how to set up IPTables
in conjunction to Snort... :-( And, moreover, all of them differ
depending on Snort version.


After starting Snort via command-line:
~# snort -Q -vv -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf


Snort received some tens of packets (mainly my SSH session to server
with Snort), both interfaces eth0 and eth1 become unavailable from
outside (i. e. from ipvar EXTERNAL_NET !$HOME_NET  ), but I still can
ping them from server's console. Go further. When I tried to ping
something out the server's interfaces this also has no result. Nothing
is accessible via monitored interfaces.

When I break the program execution interfaces from outside and external
destinations from inside continue to be inaccessible for some time
(several minutes).

Now I have two more or less clear dilemmas:
- how to start Snort in inline mode and to avoid it hang up (main problem);
- how to set up IPTables if it needed to daq.

Future plan relative to Snort  supposes to analyze and drop excessive
SIP-traffic ONLY (methods: REGISTER and INVITE) from certain IPs. For
example if there are many registrations per second (per ten of seconds -
no matter). Such traffic patter must be "isolated" from SIP-registrar.
And the same history is for INVITES. Ideally, it would be perfect if
Snort can add rules to IPTables to block "rougue traffic" permanently!
:-) As a rule (by my own observations) "bad guys" sit always at the same
IP addresses.

Please, help... :-)




------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: