Re: Snort running inline but not functioning as IPS

[James Lay <jlay () slave-tothe-box net>]

On 2016-01-21 09:59, Robin Kipp wrote: 

> Hi all, 
> I've just installed Snort 2.9.8.0 on a Debian 8 server. 
> The server has 4 network interfaces, which are all combined as a bridge interface named br0. The server bridges 
> traffic between the internal network and the internet and I'd like to use Snort for intrusion protection. 
> As far as I understand, the DAQ NFQ module can be used to run Snort in inline mode and block bad traffic, even on a 
> bridged interface. 
> So, in order to set this up I first added netfilter queues and redirected traffic to them using those commands: 
> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 
> iptables -I FORWARD -j NFQUEUE --queue-num 1 
> iptables -I INPUT -j NFQUEUE --queue-num 1 
> iptables -I OUTPUT -j NFQUEUE --queue-num 1 
> I did exactly the same for IPv6, only using ip6tables instead of iptables for each command. 
> Afterwards, I launched Snort with the following commands: 
>
> snort -u snort -g snort -q -Q --daq nfq --daq-var device=br0 --daq-var queue=1 -c /etc/snort/snort.conf 
>
> Snort then starts up without any problems and also generates alerts for rule violations. However, I feel like it's 
> not dropping or rejecting traffic that triggers any of the rules, it rather seems to work only as an IDS. 
> For instance, I tried pinging some blacklisted IPs, the rules were triggered and generated alerts but the ping and 
> ping response would go through nevertheless. 
> So, could anybody kindly tell me what I'm missing here? 
> Thank you very much for any hints! 
> Best regards, 
> Robin 
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Do you have any rules that say "drop" instead of "alert"?  

James 

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!