Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: trouble with inline mode

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 27 Aug 2014 09:05:51 -0600
On 2014-08-27 07:52, Richard Smollett wrote:

IP setup looks like this.

root@snort:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:fd:b5:c4
          inet addr:172.28.61.104  Bcast:172.28.61.127
 Mask:255.255.255.128
          inet6 addr: fe80::a00:27ff:fefd:b5c4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:472894 errors:5 dropped:15 overruns:0
frame:0
           TX packets:15266 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:129789824 (123.7 MiB)  TX bytes:2332609 (2.2
MiB)
          Interrupt:10 Base address:0xd020

eth1      Link encap:Ethernet  HWaddr 08:00:27:97:66:ff
          inet addr:192.168.123.1  Bcast:192.168.123.255
 Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe97:66ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:438796 errors:0 dropped:0 overruns:0
carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:962 (962.0 B)  TX bytes:123829936 (118.0 MiB)
          Interrupt:9 Base address:0xd240

The eth0 interface is the outside and eth1 is inside. Im starting
snort with this command.

snort --daq afpacket -i eth0:eth1 --daq-mode inline -c
/etc/snort/snort.conf

But I still cannot ping an inside host from the outside. I can ping
between the snort device and inside/ouside hosts. If I ping an inside
host from the outside, tcpdump shows the icmp echo request arriving
but no reply. Inside host ip is 192.168.123.2.

Can anyone recommend some other troubleshooting steps or suggest 
where
I may have left anything out of the setup?


Ah....yea that's the issue.  With --daq-mode inline snort will create 
it's own bridge (that you have no control over).  This type of 
deployment works really well as having snort on it's own machine inline 
such as:

(Internet) <-> (SnortIPS) <-> (LinuxRouter) <-> (Switch)

I think you and I were in the same boat where we had a linux router 
that we wanted to put IPS on.  You can use the nfq daq functionality 
like so:

snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1 -c 
/usr/local/etc/snort/snort.conf
/sbin/iptables -t nat -I PREROUTING  -j NFQUEUE --queue-num 1
or
/sbin/iptables -I INPUT -j NFQUEUE --queue-num 1

But I'm going to be honest...I never got nfq to work well.  There's a 
thread on the list that talks heavily about this, but in a nutshell as 
soon as a packet hits the snort queue, it is either dropped as an IPS 
hit, or accepted and sent along, which means any iptables rules AFTER 
the snort queue rule are not referenced, so be warned and make sure to 
nmap the external IP after you make the changes.  It really seems like 
the IPS functionality is more suited for the IPS on it's own dedicated 
machine and not integrated into a router.  My two cents :)

James

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: