Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New to snort (inline mode not rejecting)

From: usa ims <usaims () yahoo com>
Date: Thu, 30 Jul 2015 22:12:46 +0000 (UTC)
I have a friend that works at SourceFire so I called him and asked why my 'inline' Snort server is not rejecting 
packets. He kindly explained to me that just because the snort logs indicated that the server started  in 'inline' mode 
doesn't mean it really is. 'Inline' really means that  the 'Snort' server has be physically in the path of the 
destination of the packet. Ideally -- correct me if I am wrong -- once the packet traverses the firewall and is inside 
the LAN, its next hop should be an 'inline' snort server. Then the snort server will examine the packet to see if it's 
safe and if it isn't, the packet should drop.
 


     On Tuesday, July 28, 2015 12:08 PM, usa ims <usaims () yahoo com> wrote:
   

 Inline mode not rejecting. I'm trying to reject 'ICMP' in my network and the pings are still successful (I know - it's 
an overkill).  I'm still able to ping any nodes in the subnet that Snort is protecting.

Snort Version: 2.9.7.3
Netgear Layer 2 Switch with mirroring enabled.

Snort seems to be starting fine:
Jul 28 11:30:41 snort snort[810]: afpacket DAQ configured to inline. 
...
Jul 28 11:30:41 snort snort[811]: Commencing packet processing (pid=811) 
Jul 28 11:30:41 snort snort[811]: Decoding Ethernet 

I started snort with this command:
snort -Q -D -c /etc/snort/snort.conf -i eth1:eth2 --daq afpacket --daq-mode inline --daq-var buffer_size_mb=1024 -l 
/var/log/snort

I have this rule enabled local.rules:
reject icmp any any -> any any (msg:"You're doomed!"; sid:478; rev:3;)

My snort.conf has the some of the following:

#config policy_mode:inline
config daq: afpacket 
config daq_mode: inline 
config daq_var: buffer_size_mb=1024

var HOME_NET 192.168.0.0/24
var EXTERNAL_NET any

Here is the output from u2:

IPv6 Event)
 sensor id: 0 event id: 1496 event second: 1438098558 event microsecond: 471655
 sig id: 478 gen id: 1 revision: 3 classification: 0
 priority: 0 ip source: fe80::851b:3b6b:9ef3:1ff8 ip destination: ff02::1:ff98:f8eb
 src port: 0 dest port: 0 protocol: 58 impact_flag: 32 blocked: 1

Packet
 sensor id: 0 event id: 1496 event second: 1438098558
 packet second: 1438098558 packet microsecond: 471655
 linktype: 1 packet_length: 86
[ 0] 33 33 FF 98 F8 EB 28 D2 44 71 3A 63 86 DD 60 00 33....(.Dq:c..`.
[ 16] 00 00 00 20 3A FF FE 80 00 00 00 00 00 00 85 1B ... :...........
[ 32] 3B 6B 9E F3 1F F8 FF 02 00 00 00 00 00 00 00 00 ;k..............
[ 48] 00 01 FF 98 F8 EB 87 00 47 39 00 00 00 00 FE 80 ........G9......
[ 64] 00 00 00 00 00 00 E1 C3 6F 7E CA 98 F8 EB 01 01 ........o~......
[ 80] 28 D2 44 71 3A 63 (.Dq:c


What am I missing? Thanks in advance.




  
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: