Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort inline problem

From: mostafa ammar <mostafaammar79 () gmail com>
Date: Thu, 20 Oct 2016 22:13:02 +0200
Dear James,

Thanks for your reply,I tried
 sudo snort -A console -Q -c /etc/snort/snort.conf -i eth3:eth2  --daq
afpacket -N -v

still ping only is working and all other traffic not passing
kindly find attached snort.conf

On Thu, Oct 20, 2016 at 4:14 PM, <snort-users-request () lists sourceforge net>
wrote:


Send Snort-users mailing list submissions to
        snort-users () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request () lists sourceforge net

You can reach the person managing the list at
        snort-users-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim
your response.

Today's Topics:

   1. snort inline problem (mostafa ammar)
   2. Re: snort inline problem (mostafa ammar)
   3. Re: snort inline problem (James Lay)


----------------------------------------------------------------------

Message: 1
Date: Thu, 20 Oct 2016 11:40:11 +0200
From: mostafa ammar <mostafaammar79 () gmail com>
Subject: [Snort-users] snort inline problem
To: jlay () slave-tothe-box net, snort-users () lists sourceforge net
Message-ID:
        <CA+hocYpG21TDShhBOaZ8fHa9TVkBm_Qm2HsJwgCrfg7WiUvRXw@mail.
gmail.com>
Content-Type: text/plain; charset="utf-8"

Dear Jays ,

Thanks for your reply to my problem, I installed snort as a VM on xenserver
, it is connecting between 2 other VMs every machine , ping is working
successfully but any other protocol is not running, I adjusted the
snort.conf file and added

running the check command
snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv


to run snort inline I use the following command
 sudo snort -A console -Q -c /etc/snort/snort.conf -i eth3:eth2 -N

ping is working fine but any other protocols are not running ,I disabled
normalization for several protocols.
#preprocessor normalize_ip4
#preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay,
req_urp, ips, ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

Thanks for your help.

NB: I used to work on google groups I can reply to mail threads , now I
dont have any notification of emails of reply to my email and I dont know
how to reply to mail threads
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Thu, 20 Oct 2016 13:37:41 +0200
From: mostafa ammar <mostafaammar79 () gmail com>
Subject: Re: [Snort-users] snort inline problem
To: jlay () slave-tothe-box net, snort-users () lists sourceforge net
Message-ID:
        <CA+hocYofkpBqLbcLdYqVi8V0=MZ5GzpW-PLeOYWZrBBoGguo3A@mail.
gmail.com>
Content-Type: text/plain; charset="utf-8"

Dear Jays,

I used -v option with snort command line I found that tcp session passes
through snort but dows not complete for some reason , below is the logs
showing traffic is passing for ssh session from 192.168.1.55 to
192.168.1.88 but not completing.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:40.634939 192.168.1.55:49206 -> 192.168.1.88:22
TCP TTL:128 TOS:0x0 ID:9841 IpLen:20 DgmLen:52 DF
******S* Seq: 0xB3DCA921  Ack: 0x0  Win: 0x2000  TcpLen: 32
TCP Options (6) => MSS: 1460 NOP WS: 2 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:40.635840 192.168.1.88:22 -> 192.168.1.55:49206
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0xFCD1D6B0  Ack: 0xB3DCA922  Win: 0x7210  TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 7
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:40.636534 192.168.1.55:49206 -> 192.168.1.88:22
TCP TTL:128 TOS:0x0 ID:9842 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xB3DCA922  Ack: 0xFCD1D6B1  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:40.637413 192.168.1.55:49206 -> 192.168.1.88:22
TCP TTL:128 TOS:0x0 ID:9843 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0xB3DCA922  Ack: 0xFCD1D6B1  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:40.945485 192.168.1.55:49206 -> 192.168.1.88:22
TCP TTL:128 TOS:0x0 ID:9844 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0xB3DCA922  Ack: 0xFCD1D6B1  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:41.553977 192.168.1.55:49206 -> 192.168.1.88:22
TCP TTL:128 TOS:0x0 ID:9845 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0xB3DCA922  Ack: 0xFCD1D6B1  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:41.832758 192.168.1.88:22 -> 192.168.1.55:49206
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:52 DF
***A**S* Seq: 0xFCD1D6B0  Ack: 0xB3DCA922  Win: 0x7210  TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 7
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:42.755163 192.168.1.55:49206 -> 192.168.1.88:22
TCP TTL:128 TOS:0x0 ID:9846 IpLen:20 DgmLen:68
***AP*** Seq: 0xB3DCA922  Ack: 0xFCD1D6B1  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:42.755728 192.168.1.88:22 -> 192.168.1.55:49206
TCP TTL:64 TOS:0x0 ID:21733 IpLen:20 DgmLen:40 DF
***A**** Seq: 0xFCD1D6B1  Ack: 0xB3DCA93E  Win: 0xE5  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:42.793606 192.168.1.88:22 -> 192.168.1.55:49206
TCP TTL:64 TOS:0x0 ID:21734 IpLen:20 DgmLen:83 DF
***AP*** Seq: 0xFCD1D6B1  Ack: 0xB3DCA93E  Win: 0xE5  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:42.799241 192.168.1.88:22 -> 192.168.1.55:49206
TCP TTL:64 TOS:0x0 ID:21735 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xFCD1D6DC  Ack: 0xB3DCA93E  Win: 0xE5  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:43.956336 192.168.1.55:49206 -> 192.168.1.88:22
TCP TTL:128 TOS:0x0 ID:9847 IpLen:20 DgmLen:68
***AP*** Seq: 0xB3DCA922  Ack: 0xFCD1D6B1  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:43.956764 192.168.1.88:22 -> 192.168.1.55:49206
TCP TTL:64 TOS:0x0 ID:21736 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xFCD1DC90  Ack: 0xB3DCA93E  Win: 0xE5  TcpLen: 32
TCP Options (3) => NOP NOP Sack: 46044@43298
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:45.157504 192.168.1.55:49206 -> 192.168.1.88:22
TCP TTL:128 TOS:0x0 ID:9848 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0xB3DCA922  Ack: 0xFCD1D6B1  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:45.800757 192.168.1.88:22 -> 192.168.1.55:49206
TCP TTL:64 TOS:0x0 ID:21737 IpLen:20 DgmLen:83 DF
***AP*** Seq: 0xFCD1D6B1  Ack: 0xB3DCA93E  Win: 0xE5  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-13:33:47.559946 192.168.1.55:49206 -> 192.168.1.88:22
TCP TTL:128 TOS:0x0 ID:9849 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0xB3DCA922  Ack: 0xFCD1D6B1  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

On Thu, Oct 20, 2016 at 11:40 AM, mostafa ammar <mostafaammar79 () gmail com>
wrote:


Dear Jays ,

Thanks for your reply to my problem, I installed snort as a VM on
xenserver , it is connecting between 2 other VMs every machine , ping is
working successfully but any other protocol is not running, I adjusted

the

snort.conf file and added

running the check command
snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv


to run snort inline I use the following command
 sudo snort -A console -Q -c /etc/snort/snort.conf -i eth3:eth2 -N

ping is working fine but any other protocols are not running ,I disabled
normalization for several protocols.
#preprocessor normalize_ip4
#preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay,
req_urp, ips, ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

Thanks for your help.

NB: I used to work on google groups I can reply to mail threads , now I
dont have any notification of emails of reply to my email and I dont know
how to reply to mail threads


-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 3
Date: Thu, 20 Oct 2016 08:14:12 -0600
From: James Lay <jlay () slave-tothe-box net>
Subject: Re: [Snort-users] snort inline problem
To: snort-users () lists sourceforge net
Message-ID: <d01aaebbb10d0ee750f48e73690b677d@localhost>
Content-Type: text/plain; charset=US-ASCII; format=flowed

On 2016-10-20 03:40, mostafa ammar wrote:

Dear Jays ,

Thanks for your reply to my problem, I installed snort as a VM on
xenserver , it is connecting between 2 other VMs every machine , ping
is working successfully but any other protocol is not running, I
adjusted the snort.conf file and added

running the check command
snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

to run snort inline I use the following command
 sudo snort -A console -Q -c /etc/snort/snort.conf -i eth3:eth2 -N

ping is working fine but any other protocols are not running ,I
disabled normalization for several protocols.
#preprocessor normalize_ip4
#preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay,
req_urp, ips, ecn stream
#preprocessor normalize_icmp4
#preprocessor normalize_ip6
#preprocessor normalize_icmp6

Thanks for your help.

NB: I used to work on google groups I can reply to mail threads , now
I dont have any notification of emails of reply to my email and I dont
know how to reply to mail threads



Don't forget your afpacket line:

sudo snort -A console -Q -c /etc/snort/snort.conf --daq afpacket -i
eth3:eth2 -N

James



------------------------------

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 125, Issue 10
********************************************

Attachment: snort.conf
Description: 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: