Snort mailing list archives

Re: IPS options

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 6 Mar 2014 12:36:06 +0000

Looks like your iptables rule specifies tcp, so the icmp rule won't fire because Snort isn't getting icmp traffic.

Check Snort's shutdown counts to see if it is getting the traffic you want.  You may want to change your iptables rules.

________________________________
From: Y M [snort () outlook com]
Sent: Thursday, March 06, 2014 7:31 AM
To: snort-users
Subject: Re: [Snort-users] IPS options

________________________________
From: jlay () slave-tothe-box net
To: snort-users () lists sourceforge net
Date: Thu, 6 Mar 2014 05:15:31 -0700
Subject: Re: [Snort-users] IPS options

On Thu, 2014-03-06 at 06:26 +0000, Y M wrote:
As far as I know, signatures with "alert" keyword should still work as usual when running Snort inline. Only those 
signatures marked with "drop" will be dropped, the rest , i.e.: "alert" signatures, should only alert as normal, at 
least when using the afpacket DAQ. I wouldn't imagine the behavior is different for NFQ, but I never tested it.

We have two sensors running inline (afpacket), and although they do not contain "alert" signatures at the moment, they 
worked as expected during testing in regards to running  "alert" and "drop" signatures at the same time.

YM.

To: snort-users () lists sourceforge net
Date: Wed, 5 Mar 2014 16:46:45 -0700
From: jlay () slave-tothe-box net
Subject: [Snort-users] IPS options

Hey all,

So....looking at changing a current Snort IDS to IPS...I've gotten some
good feedback, but wanted to post here as well. The setup is a linux
box with two nics already bridged. I'm need to just IPS a certain
protocol/port combination, and still alert as usual on everything else.
I looked at DAQ NFQ, but found that after getting that to work, other
alerts stopped. So what are my options for this? I read through the
daq doc and whatnot, but wanted opinions here as well. Thanks for any
insight.

James


Thanks YM and waldo...here's what I've tested:

iptables -I INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1 -c snort/snort.conf

rules:
drop tcp any any -> any 80 (msg:"Test 80"; sid:10000053;)
alert icmp any any -> any any (msg:"Ping test"; sid:10000054;)

testing:
[05:09:22 jlay@James<mailto:jlay@JamesiMac>:~$] telnet analysis 80
Trying 192.168.1.6...
^C
[05:09:31 jlay@James<mailto:jlay@JamesiMac>:~$] ping analysis
PING analysis (192.168.1.6) 56(84) bytes of data.
64 bytes from analysis (192.168.1.6): icmp_seq=1 ttl=64 time=0.176 ms

results:
03/06-05:09:28.544877  [Drop] [**] [1:10000053:0] Test 80 [**] [Priority: 0] {TCP} 192.168.1.2:34392 -> 192.168.1.6:80

So...looks like this method no workie.  What daq mode are you using YM?

--daq afpacket --daq-mode inline


Thank you.

James
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off 
Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster 
operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the 
move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to 
stay current on all the latest Snort news!

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

IPS options James Lay (Mar 05)
- Re: IPS options waldo kitty (Mar 05)
- Re: IPS options Y M (Mar 05)
  - Re: IPS options James Lay (Mar 06)
    - Re: IPS options Y M (Mar 06)
    - Re: IPS options Russ Combs (rucombs) (Mar 06)
    - Re: IPS options James Lay (Mar 06)