Re: Unexpected results with reputation preprocessor - solved

[Dave Corsello <snort-users () wintertreemedia com>]

Sorry, I misspelled Hui's name below.  The correct spelling is, of 
course, Hui Cao.

I second James' request for "official" documentation of how to configure 
Snort IPS.  Some of us open source users are using Snort inline, basing 
our configuration on documentation that we've pieced together from 
various sources.  We might be getting it mostly right, but as I've 
demonstrated, we might be getting some details wrong, possibly leaving 
ourselves more vulnerable than we think we are. So, if possible, it 
would be great to see things laid out clearly in one document, so that 
there's no guesswork involved.

On 5/13/2014 8:28 AM, James Lay wrote:
> On Tue, 2014-05-13 at 07:50 -0400, Dave Corsello wrote:
> > About 2 months ago, I reported strange results with the reputation
> > preprocessor.  Often, when an inbound packet was blocked, an alert was
> > also generated for an outbound packet with the addresses from the first
> > packet reversed.  It seemed impossible for there to be an outbound
> > response if the inbound traffic was blocked.  Testing confirmed that
> > SMTP traffic from a known blocked address truly was dropped, adding to
> > my confusion.  Joel suggested that the inbound connection, although
> > reported as dropped, was not actually dropped, and that the connection
> > failed because the outbound response was dropped.  This turned out to be
> > the case.  PCAPs showed that during the TCP handshake on an inbound SMTP
> > connection, the inbound SYN packet was getting through Snort.  After a
> > lot of debugging and help from Hui Cau, I found that the problem was due
> > to missing parameters in my snort startup command.  I was trying to
> > start snort in inline mode with the following command:
> >
> > snort --daq nfq -c /etc/snort/snort.conf -Q -D
> >
> > This seemed to be working fine for quite awhile.  I was using the
> > default queue number 0, and bad traffic across the network bridge was
> > being dropped. Then I enabled reputation blocking, and started seeing
> > problems.  I ended up checking out James Lay's document, "Changing from
> > IDS to IPS with NFQueue" atwww.snort.org/docs  <http://www.snort.org/docs>, which showed the command
> > line:
> >
> > snort -Q --daq nfq --daq-var device=br0 --daq-var queue=1 -c
> > /etc/snort/snort.conf
> >
> > So, I changed the queue number in my iptables config to 1 (not sure if
> > this was necessary), changed my snort command line to the above, adding
> > daq vars to specify the device and queue number, and SYN packets from
> > reputation-blocked addresses stopped making it through snort.  Problem
> > solved.
> >
> > Thanks to Joel and Hui for corresponding with me about this, and to
> > James for his document.
> >
> > ------------------------------------------------------------------------------
> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> > Instantly run your Selenium tests across 300+ browser/OS combos.
> > Get unparalleled scalability from the best Selenium testing platform available
> > Simple to use. Nothing to install. Get started now for free."
> > http://p.sf.net/sfu/SauceLabs
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net  <mailto:Snort-users () lists sourceforge net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>
> Glad the doc helped.  Hey Joel it would be great to see a....I dunno 
> real world use case blog post or faq..complete with iptables and snort 
> command lines for using snort as an IPS.  Off the top of my head I can 
> think of:
>
> A dedicated IPS device with three nics (one for management, two for 
> inbound and outbound) where daq is used with afpacket eth0:eth1
> A linuxbox acting as a router and firewall with two nics, one nic is 
> internal IP, one nic is external IP
> A linuxbox transparent bridge acting as a firewall with two nics, eth0 
> and eth1 are bridged to br0
> And lastly, a linuxbox where snort will act as HIPS with one nic
>
> Thanks Joel!
>
> James
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!