Re: New to snort (inline mode not rejecting)

["Al Lewis (allewi)" <allewi () cisco com>]

I ran a quick test and you should see “destination unreachables”.

The command-line I ran was: “./bin/snort -c etc/ICMP-TEST.conf  --daq dump --daq-var load-mode=read-file -Q -r 
ICMP-TEST.pcap -Acmg -U -H -k none -q”

Also It shouldn’t matter if the traffic is ipv4 or ipv6..

21:19:58.933050 IP6 2607:f8b0:400d:c04::63 > 2001:420:270d:1330:90a4:f2e5:4b0c:c77a: ICMP6, destination unreachable, 
unreachable port[|icmp6]
21:19:58.961990 IP6 2001:420:270d:1330:90a4:f2e5:4b0c:c77a > 2607:f8b0:400d:c04::63: ICMP6, destination unreachable, 
unreachable port[|icmp6]
21:19:59.934488 IP6 2607:f8b0:400d:c04::63 > 2001:420:270d:1330:90a4:f2e5:4b0c:c77a: ICMP6, destination unreachable, 
unreachable port[|icmp6]
21:19:59.965522 IP6 2001:420:270d:1330:90a4:f2e5:4b0c:c77a > 2607:f8b0:400d:c04::63: ICMP6, destination unreachable, 
unreachable port[|icmp6]

Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Al Lewis (allewi)
Sent: Thursday, July 30, 2015 8:58 PM
To: usa ims; snort-users () lists sourceforge net
Subject: Re: [Snort-users] New to snort (inline mode not rejecting)

Is the traffic passing directly through the snort sensor? I see that you are mentioning “mirroring” which isn’t going 
to work properly.

As a test can you replay a pcap into the snort sensor directly with the  “--daq dump --daq-var load-mode=read-file -Q” 
flags set. (this forces it inline and will output the packets that pass through the daq)

Check to see if there are resets in the “inline.out” file that is generated.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>

From: usa ims [mailto:usaims () yahoo com]
Sent: Thursday, July 30, 2015 6:13 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] New to snort (inline mode not rejecting)

I have a friend that works at SourceFire so I called him and asked why my 'inline' Snort server is not rejecting 
packets. He kindly explained to me that just because the snort logs indicated that the server started  in 'inline' mode 
doesn't mean it really is. 'Inline' really means that  the 'Snort' server has be physically in the path of the 
destination of the packet. Ideally -- correct me if I am wrong -- once the packet traverses the firewall and is inside 
the LAN, its next hop should be an 'inline' snort server. Then the snort server will examine the packet to see if it's 
safe and if it isn't, the packet should drop.


On Tuesday, July 28, 2015 12:08 PM, usa ims <usaims () yahoo com<mailto:usaims () yahoo com>> wrote:

Inline mode not rejecting. I'm trying to reject 'ICMP' in my network and the pings are still successful (I know - it's 
an overkill).  I'm still able to ping any nodes in the subnet that Snort is protecting.

Snort Version: 2.9.7.3
Netgear Layer 2 Switch with mirroring enabled.

Snort seems to be starting fine:
Jul 28 11:30:41 snort snort[810]: afpacket DAQ configured to inline.
...
Jul 28 11:30:41 snort snort[811]: Commencing packet processing (pid=811)
Jul 28 11:30:41 snort snort[811]: Decoding Ethernet

I started snort with this command:
snort -Q -D -c /etc/snort/snort.conf -i eth1:eth2 --daq afpacket --daq-mode inline --daq-var buffer_size_mb=1024 -l 
/var/log/snort

I have this rule enabled local.rules:
reject icmp any any -> any any (msg:"You're doomed!"; sid:478; rev:3;)

My snort.conf has the some of the following:

#config policy_mode:inline
config daq: afpacket
config daq_mode: inline
config daq_var: buffer_size_mb=1024

var HOME_NET 192.168.0.0/24
var EXTERNAL_NET any

Here is the output from u2:

IPv6 Event)
sensor id: 0 event id: 1496 event second: 1438098558 event microsecond: 471655
sig id: 478 gen id: 1 revision: 3 classification: 0
priority: 0 ip source: fe80::851b:3b6b:9ef3:1ff8 ip destination: ff02::1:ff98:f8eb
src port: 0 dest port: 0 protocol: 58 impact_flag: 32 blocked: 1

Packet
sensor id: 0 event id: 1496 event second: 1438098558
packet second: 1438098558 packet microsecond: 471655
linktype: 1 packet_length: 86
[ 0] 33 33 FF 98 F8 EB 28 D2 44 71 3A 63 86 DD 60 00 33....(.Dq:c..`.
[ 16] 00 00 00 20 3A FF FE 80 00 00 00 00 00 00 85 1B ... :...........
[ 32] 3B 6B 9E F3 1F F8 FF 02 00 00 00 00 00 00 00 00 ;k..............
[ 48] 00 01 FF 98 F8 EB 87 00 47 39 00 00 00 00 FE 80 ........G9......
[ 64] 00 00 00 00 00 00 E1 C3 6F 7E CA 98 F8 EB 01 01 ........o~......
[ 80] 28 D2 44 71 3A 63 (.Dq:c


What am I missing? Thanks in advance.

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!