Problem with bridge with Snort

[giovanni guadagnini via Snort-users <snort-users () lists snort org>]

Hi.
Trying to follow this guide
http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/ I created
a snorted bridge. The bridge work correctly but it doesn't filter the
content.
I explain better I'm trying to build a bridge that intercept and block the
request for stream video directed to a DVR (of video surveillance).
The partition of network is like this
LAN--CLIENT--> BRIDGE (whit snort) --> DVR --> CAM
I ask to the site administrator but he tell me than he don't know why it
doesn't work, and he told me to try and ask to you.
I Hope you can help me.
Below are the mails we sent each other:
--------------------------------------------------------------------------------------------
> > > > > From: Giovanni <giovanni.guadagnini () gmail com>
> > > > > Subject: IPS bridge

> > > > > Message Body:
> > > > > Hi is it possible to create a bridge with an IPS system like snort
> > > > > that only have to check the string content of a packets and drop it?
> > > > > but
> > > > > the bridge have to operate on the same network segment, not on two
> > > > > different segments

> > > > > example:

> > > > > 192.168.0.0/24(network) --> bridge --> 192.168.0.0/24 (network)

> > > > > the bridge can drop a packet with the string "Channel/1" and let pass
> > > > > the rest?

> > > > > Sorry for my english
----------------------------------------------------------------------------
> > > > Il giorno mer 13 set 2017 alle ore 16:15 Noah Dietrich <
> > > > noah_dietrich () 86penny org> ha scritto:

> > > > > Yes, that is possible. Set up snort in inline mode using afpacket, see
> > > > > my website for an example.
> > > > > Then you can create a rule to alert or drop based on the content
---------------------------------------------------------------------------
> > > On Fri, Sep 15, 2017 at 2:26 PM, giovanni guadagnini <
> > > giovanni.guadagnini () gmail com> wrote:

> > > > Hi, I follow the guide on your website. When I execute the command "
> > > > sudo /usr/local/bin/snort -A console -Q -c /etc/snort/snort.conf -i
> > > > eth1:eth2 -N" I see the message which tells me that Snort has
> > > > intercepted the packet but even if I put drop in the rule the packet
> > > > is not
> > > > dropped and it pass the bridge. Im sure that the bridge is properly
> > > > running. What can I do?
---------------------------------------------------------------------------
> > Il giorno mer 27 set 2017 alle ore 09:09 Noah Dietrich <
> > noah_dietrich () 86penny org> ha scritto:

> > > Hi Giovanni,
> > > I am not sure why it is not dropping, does the message pass to the
> > > remote system?
> > > Your command looks correct, what does your rule look like?
---------------------------------------------------------------------------
> On Wed, Sep 27, 2017 at 5:39 PM, giovanni guadagnini <
> giovanni.guadagnini () gmail com> wrote:

> > Yes unfortunately it pass to the remote system.
> > The rule was like this: "drop tcp any any -> 192.168.0.129 any (msg:
> > "Video stream incoming packet found"; content:"Channels/101";
> > sid:1000001;
> > rev:1; react:block;)".
> > And when I executed the command "sudo /usr/local/bin/snort -A console -Q
> > -c /etc/snort/snort.conf -i eth1:eth2 -N" I saw that snort was
> > intercepting the packet; but the packet passed the same to the remote
> > system.

> > Pratically I have to block packets directed to a dvr (video
> > surveillance) that contain the following string "Channels/101".

> > The network scheme is about this: PC-CLIENT --> bridge (snorted) -->
> > DVR; the dvr manage ip cameras, the dvr is connected only to the bridge
> > and the bridge is connected to the LAN.
> > The client requires the dvr to stream the video of ip cam with a packet
> > that contains "Channels/" followed the number of the camera, I have to
> > block the traffic of certain cam.
------------------------------------------------------------------------------
On Gio 28 Set 2017, 08:38 Noah Dietrich <noah_dietrich () 86penny org> wrote:

> two last things you might try, adding the following two flags when running
> snort:

> -k none
> -P 9000

> For example, your command would be:
> sudo /usr/local/bin/snort -A console -Q -c /etc/snort/snort.conf -i
> eth1:eth2 -N -k none -P 9000

> This will prevent fragmented packets and oversized frames from being
> ignored.  If that doesn't fix the issue, i'd reccomend you ask the
> Snort-users list, as i'm not sure what the issue is.

> Noah
---------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!