Re: Odp: Re: Snort inline with Squid

[James Lay <jlay () slave-tothe-box net>]

On Sat, 2015-04-25 at 14:58 +0200, Robert Lasota wrote:

> Dnia Piątek, 24 Kwietnia 2015 17:53 James Lay
> <jlay () slave-tothe-box net> napisał(a)
>
>
>         On 2015-04-24 07:06 AM, Robert Lasota wrote:
>         
>         > Dnia Piątek, 24 Kwietnia 2015 13:58 James Lay
>         
>         > <jlay () slave-tothe-box net> napisał(a)
>         
>         >
>         
>         >> On Fri, 2015-04-24 at 09:33 +0200, Robert Lasota wrote:
>         
>         >>
>         
>         >>> Hi,
>         
>         >>>
>         
>         >>> Well, I have problem with running this both apps together
>         on
>         
>         >>> router. Snort (as IPS) inline gets traffic from iptables
>         (QUEUE
>         
>         >>> option), and Squid transparent also (from PREROUTING), and
>         it
>         
>         >>> turned out there is problem to rinning both in that case.
>         I tried
>         
>         >>> these combinations of iptables:
>         
>         >>>
>         
>         >>> # for Snort
>         
>         >>>
>         
>         >>> $iptables -I FORWARD -p tcp --dport 80 -j QUEUE
>         
>         >>>
>         
>         >>> # for Squid
>         
>         >>> $iptables -t nat -A PREROUTING -p tcp --dport 80 -j
>         REDIRECT
>         
>         >>> --to-port 3128
>         
>         >>>
>         
>         >>> $iptables -I FORWARD -p tcp --dport 80 -j QUEUE
>         
>         >>> $iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT
>         
>         >>> --to-port 3128
>         
>         >>>
>         
>         >>> $iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
>         
>         >>> $iptables -t nat -A PREROUTING -p tcp --dport 80 -j
>         REDIRECT
>         
>         >>> --to-port 3128
>         
>         >>>
>         
>         >>> .. and nothing. In all cases or Squid doesn't work or
>         Snort.
>         
>         >>>
>         
>         >>> Does somebody have any idea how to solve this difficult
>         case ? I
>         
>         >>> would be appreciated.
>         
>         >>>
>         
>         >>> Robert
>         
>         >> Two interfaces? One internal net, one external net?
>         
>         >>
>         
>         >> James
>         
>         >
>         
>         > Yes, there are 2 nics, one for internet and one for LAN.
>         
>         >
>         
>         > Robert
>         
>         So my setup is I have transparent proxy that's listening on
>         eth0
>         
>         (192.168.bleh) that forwards out ppp0 (external IP).  This
>         takes
>         
>         internal clients and transparently proxies them.  If that's
>         your setup,
>         
>
>
> here's how I would do it.
>
>
>         Start snort:
>         
>         sudo snort -Q -D --daq nfq --daq-var device=eth0 --daq-var
>         queue=1 -c
>         
>         snort.conf
>         
>         Snort iptables first:
>         
>         $iptables -t mangle -I FORWARD -i eth0 -p tcp --dport 80 -j
>         NFQUEUE
>         
>         --queue-num 1
>         
>         $iptables -t mangle -I OUTPUT -i eth0 -p tcp --dport 80 -j
>         NFQUEUE
>         
>         --queue-num 1
>         
>         Now for Squid
>         
>         $iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
>         REDIRECT
>         
>         --to-port 3128
>         
>         This should get you what you need, however keep in mind that
>         snort will
>         
>         need to be started first, and because you're sending ONLY port
>         80 to the
>         
>         NFQUEUE, that's all snort will see as that's all that's going
>         to the
>         
>         queue.  Lastly, you'll need to modify your rules that you want
>         do drop
>         
>         traffic to reflect drop instead of alert...you'll get an alert
>         in your
>         
>         unified (if you're doing that) or fast file (if you're doing
>         that as
>         
>         well) either way with drop or alert, but drop will actively
>         drop the
>         
>         connection.  Check the link below for more info:
>         
>         http://www.iptables.info/en/structure-of-iptables.html#MANGLETABLE <
>         
>         scroll up to get a nifty diagram.
>         
>         Hope that helps.
>         
>         James
>         
>
>
>  
>
> Hi,
>
> I did as you said and don't work. Squid is blocking but Snort not
> working, I mean instead of display alert page it shows some Squid
> error page "url cannot be retrivered".
>
>  
>
> My commands was:
>
> snort -Q -D --daq nfq --daq-var device=eth1 --daq-var queue=1
> -c /opt/etc/snort/snort.conf
>
> iptables -t mangle -I FORWARD -i eth1 -p tcp --dport 80 -j NFQUEUE
> --queue-num 1
> iptables -t mangle -I OUTPUT -o eth1 -p tcp --dport 80 -j NFQUEUE
> --queue-num 1
>
>  
>
> eth1 - LAN interface
>
> What is interesting , in above case no packets got in rules in mangle
> table.. zero:
>
> Chain FORWARD (policy ACCEPT 893 packets, 403K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 NFQUEUE    tcp  --  eth1   *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
> Chain OUTPUT (policy ACCEPT 5009 packets, 3240K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 NFQUEUE    tcp  --  *      eth1    0.0.0.0/0
> 0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
>
>
>
>  
>
> I tried add to mangle rules without interface:
>
> iptables -t mangle -I FORWARD -p tcp --dport 80 -j NFQUEUE
> --queue-num 1
> iptables -t mangle -I OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num
> 1
> and now packets got only to OUTPUT chain:
>
>
> Chain FORWARD (policy ACCEPT 12 packets, 989 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
> Chain OUTPUT (policy ACCEPT 1855 packets, 645K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>    23  5563 NFQUEUE    tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:80 NFQUEUE num 1
> ..but still is an error "url cannot be retrivered"
>
>  
>
> Robert
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Ok....I'll dust off the dev box and run it through some tests...stay
tuned.

James

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!