Snort mailing list archives
Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall)
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 30 Mar 2017 15:55:43 -0600
Yes...just test test test before you go production...make sure you're firewall is dropping what it's supposed to be. On 2017-03-30 15:52, Stanford Prescott wrote:
Thanks for the links, James. I want snort to filter (block) "the bad stuff" at the firewall but let the rest proceed on through the rest of the firewall iptables rules. Will your use of the MANGLE table allow this? On Thu, Mar 30, 2017 at 4:35 PM, James Lay <jlay () slave-tothe-box net> wrote:It is but be careful...look at this thread: http://marc.info/?l=snort-users&m=141850470323610&w=2 You'll want to use the MANGLE table, otherwise your firewall rules won't function like you think. Also this more recent one: http://marc.info/?l=snort-users&m=147768752101473&w=2 James On 2017-03-30 15:20, Stanford Prescott wrote:Maybe snort and NFQ is worth seriously considering. Thanks, Ward. On Thu, Mar 30, 2017 at 11:35 AM, Ward Sladek <wsladekjr () hotmail com> wrote:Isn't NFQ an option here? Couldn't he just run snort w/ NFQ on each LAN iface and call it a day (assuming everything else is configured properly)? ________________________________ From: Stanford Prescott <stan.prescott () gmail com> Sent: Thursday, March 30, 2017 8:59 AM To: wkitty42 () windstream net Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Security onion sounds like a very nice option but is beyond the scope of what I am trying to do which is what can I reasonably do on our firewall distribution? I would like to be able to use snort inline on the firewall and use DAQ to enable the converting of sids from alerts to drops which seems more efficient to me than our present implementation of placing the IPs from alerts into an ipblock file. On Wed, Mar 29, 2017 at 9:12 PM, <wkitty42 () windstream net> wrote:On 03/29/2017 07:14 PM, Stanford Prescott wrote:Maybe I am going about this all wrong. If snort is going to monitoreachLANinterface is it really necessary for snort to also monitor the WAN interface?if you don't monitor the WAN interface, how can you catch inboundattacksbefore they get into the firewall mechanisms? is it not best to stop the cr4p /before/ it can enter the system? why waste resources transporting it all overyourLAN(s) before flushing it?If all traffic goes from the WAN interface to one or the other oftheLANinterfaces it seems that monitoring the WAN interface, too would be"double"monitoring the same traffic?with what you appear to be attempting to do, it will absolutely bedoublemonitoring... that's understandable and expected... however, if youaremonitoring the LAN side and catch something there, you can stop itfromgetting out (eg: phone home malware or the exfiltration of identity information)... same for monitoring inbound traffic on the WAN interface... using bridgingisonly to put snort in the position of gendarme and eliminate "our" activeresponsesystem... aside: why do you think that i've not carried "our" snort/activeresponseimplementation on "our" firewall product any further over all theseyears?it gets really deep really quickly and it is much easier to implementanothersolution for this monitoring rather than to put it all on theperimeterfirewall... especially when solutions like Security Onion already andareeasily implemented in another dedicated device like ""our"" perimeterfirewall...trying to use snort for the same purpose as "our" active responsesystemisgoing to be rough for one interface (the tuning and reactions are notableto be the same [eg: timed blocking]) but when you start trying to tie up tofourinterfaces into the monitoring, all hades rises up... from my previous example, you can see where a four interface setup(WAN,LAN1, LAN2, LAN3) easily becomes an eight interface setup (two per mainpipe sothat snort can be in the middle of them for its monitoring and dropping of unwanted traffic) and the whole thing is now four times as complicated... just build a security onion box with its own five interfaces (management plus oneforeach network connection to be monitored) and let it ride on the sidepassivelysniffing the traffic and stuffing it into whatever database withanalyticalsoftware is available... /then/ come up with some way for SO to talktotheperimeter firewall device so that it can adjust its traffic rules toblock(or allow after some period of time) traffic to/from bad players... OR whenever it happens and the VMs that have been spoken about finally come toreality,have one of them as a SO VM but there's still the needed communicationfrom SOto the perimeter firewall product to tell it to block or remove a block...On Wed, Mar 29, 2017 at 3:46 PM, Stanford Prescott <stan.prescott () gmail com>wrote:Yes, I figured you would see me, wkitty42. Thank you for trying tohelp. ;)I did see that reference about the interfaces in colon separatedpairswhen using DAQ for inline mode. I am having trouble conceptualizinghowthat bridging works on a Linux firewall where one interface is theWANandup to three additional interfaces are each a separate LAN in itsowndistinct non-overlapping private subnet. As with a typical NATrouterfirewall all WAN traffic is NATd to the appropriate LAN. My limited understanding is in order to have snort sniff and alertontraffic at each interface that multiple instances of snort runninginlineare required in order to have "bidirectional" monitoring. The present setup I am dealing with is that snort is installed onthefirewall box and only sniffs traffic arriving on the WAN interfacefromtheISP or incoming traffic. Snort is unable to sniff outgoing trafficfromtheinternal LANs and be able to tell where the traffic is coming frombecauseby the time traffic from the internal LANs arrives on the WANinterface,snort does not have access to where the originating outgoingtrafficisfrom. I know that is a poor explanation, sorry. Anyway, perhaps a diagram of the flow of traffic using multipleinstancesof snort running on a firewall distro would help describe how the interfaces need to be bridged. Does anyone know where a diagramlikethatmight be? On Wed, Mar 29, 2017 at 3:07 PM, James Lay <jlay () slave-tothe-box net>wrote:On 2017-03-29 13:27, wkitty42 () windstream net wrote:On 03/29/2017 02:15 PM, Stanford Prescott wrote:I need to know if the multiple interfaces can all be bridged totheWAN interface such that: WAN eth0 <---inline snort 1 -->LAN eth1 WAN eth0 <---inline snort 2 -->LAN eth2 etc. Can it be done?i don't think it can be done like that... likely it should bemorelikethis... WAN0(eth0) -> snort0 -> WAN0(eth1) -> current path for WAN0 toLANsLAN0(eth2) -> snort1 -> LAN0(eth3) -> current path for LAN0 toLANs&WAN0 LAN1(eth4) -> snort2 -> LAN1(eth5) -> current path for LAN1 toLANs&WAN0 LAN2(eth6) -> snort3 -> LAN2(eth7) -> current path for LAN2 toLANs&WAN0 each snort instance has to have its own two interfaces tobridge...remember, each bridge is a dedicated tunnel from one entry point to theexitpoint with snort processing the data traveling through the tunnel... something else to think about: each snort should also have itsownconfigs... some parts of the configs can be common and shared between allsnortinstances while others must be discrete and separate... one should alsoconsiderthe need for different rules to be in effect for the different snort instances... eg: LAN0 may allow TOR traffic but TOR is denied on LAN1 andLAN2...PS: i see you ;)On Tue, Mar 28, 2017 at 1:20 PM, Stanford Prescott <stan.prescott () gmail com> wrote:I am trying to learn some of the ins and outs of snort. Isthere atutorial somewhere that outlines how to setup snort in inlinemodeusing daq on a Linux netfilter firewall. It is a typical firewallsetupwith interfaces of, for example: eth0 -> WAN interface with public IP address eth1 -> 1st protected LAN interface with unique subnet eth2 -> 2nd protected LAN interface with unique subnet etc.... I would need multiple instances of snort with instance1 eth0 <---> eth1 (bidirectional) instance2 eth0 <---> eth2 " etc. Thank you!And per the daq README: AFPACKET Module =============== afpacket functions similar to the pcap DAQ but with betterperformance:./snort --daq afpacket -i <device> [--daq-var buffer_size_mb=<#MB>] [--daq-var debug] If you want to run afpacket in inline mode, you must craft thedevicestring as one or more interface pairs, where each member of a pair isseparatedbya single colon and each pair is separated by a double colon likethis:eth0:eth1 or this: eth0:eth1::eth2:eth3 This applies to PF_RING as well. James ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users Info Page - SourceForge - Download, Develop ...< https://lists.sourceforge.net/lists/listinfo/snort-users> lists.sourceforge.net This list is for general discussion of Snort usage, problems, design, etc. Do not use this list, or the members of this list to market your or any other products to.Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-usersPlease visit http://blog.snort.org to stay current on all thelatestSnort Blog<http://blog.snort.org/> blog.snort.org Just released: Snort Subscriber Rule Set Update for 03/23/2017 We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new ...Snort news!------------------------------------------------------------------------------Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all thelatestSnort news!-- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall), (continued)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) James Lay (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Jack Pepper (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) wkitty42 (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Ward Sladek (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) James Lay (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) James Lay (Mar 30)