Re: Problem running Snort Inline

[Y M <snort () outlook com>]

Comments inline.
From: anshuman () cybage com
To: snort-users () lists sourceforge net
Date: Thu, 5 Feb 2015 06:40:16 +0000
Subject: [Snort-users] Problem running Snort Inline









Hi,
 
We have issues running Snort inline. This is the exact problem which is mentioned here -

http://www.linuxforums.org/forum/debian-linux/200751-snort-inline.html (see log below).
 
We have setup the Snort inline (version 2.9.7.0) which is compiled using switch --enable-sourcefire.

## While might not be related, did you also upgrade the DAQ to 2.0.4? This version was released with the release of 
Snort 2.9.7.0 as I remember.
 
It says “Enabling inline operation” and then switches to IDS mode.

## Are you referring to the message that output in Snort's startup messages? If I recall properly, this came up one 
before and as I remember that this message "can be" ignored given that you are actually running Snort inline.
 
Our command line for running Snort:
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort_conf_rules.conf -i eth0:eth1 -Q --pid-path=/var/run which 
creates the bridge automatically. Both the interfaces doesn’t have IP addresses
 assigned.
## While I have not tested this thoroughly, but does your traffic flows from eth0 --> eth1 or from eth1 --> eth0? If 
you change -i eth0:eth1 to -i eth1:eth0, what happens? 
 
We have already enabled following options for snort inline:
config policy_mode:inline
config daq: afpacket
config daq_mode: inline
config daq_var: buffer_size_mb=1024
 
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
 
Under verdicts it shows 0% packets blocked. We have enabled couple of drop rules for BRUTE FORCE attack one of which is 
getting detected. Here is the snort output.
02/02-12:12:23.042082  [Drop] [**] [1:2019876:2] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] 
[Classification: Detection of a Network Scan] [Priority: 3] {TCP} 000.000.000.00:38772 ->
 00.00.00.:22 (IP addresses information removed)
## In the above case, was the connection successful? If you try the same using an ICMP rule and pinging some 
destination, does the ICMP packet go through?.
 
But under verdicts it shows nothing blocked. Why??
## Not sure why, but lets verify the above first and then lets see.
 
Verdicts:
      Allow:      4335107 ( 59.187%)
      
Block:            0 (  0.000%)
 
Output says:
Enabling inline operation
Running in IDS mode
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
 
===============================================
Information about our setup-
 
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)

   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3
 
============================================================================
 
/usr/local/snort/bin/snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
 
===========================================================================
 
Please let me know in case any other information is required.
 
 
Regards,
Anshuman
 
 

"Legal
 Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which 
may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the 
addressee(s) only. If you
 are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly 
prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and 
destroy the original message and
 all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is 
not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out 
your own malicious content
 checks before opening the e-mail or attachment." www.cybage.com



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!