[Snort-users] Re: Inline IP_Forwarding and other simple questions?
This is a discussion on [Snort-users] Re: Inline IP_Forwarding and other simple questions? within the Snort forums, part of the System Security and Security Related category; > What I am asking is since this uses IPTABLES, should I just set up permanent > "firewall type&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-29-2004
|
|||
|
|||
[Snort-users] Re: Inline IP_Forwarding and other simple questions?
> What I am asking is since this uses IPTABLES, should I just set up permanent
> "firewall type" IPTABLE rules and then use the modified snort rules to take > care of the resets, drops, etc? Yes On Tue, 28 Dec 2004 18:02:12 -0500, Michael D. Peters <mdpeters@lazarusalliance.com> wrote: > What I am asking is since this uses IPTABLES, should I just set up permanent > "firewall type" IPTABLE rules and then use the modified snort rules to take > care of the resets, drops, etc? > > > Will Metcalf writes: > > >> If I have something like this: <GATEWAY-ROUTER> connected to <FIREWALL> > >> connected to <SNORT_INLINE> connected to <NETWORK HUB OR SWITCH>. Would I > >> set the "var HOME_NET any" to "var HOME_NET nnn.nnn.nnn.nnn/xx? > > > > Yes > > > >> Do I need to make a startup script for IPTABLE rules or do I rely on > >> drop.rules or both? I'm inclined to think that the firewall rules will be > >> essentially duplicated with IPTABLES and the drop.rules interactively > >> supplement the IPTABLES. > > > > I'm not really sure what you are asking for here...... Usually it is > > a good idea to have a couple of iptables rules to check state for tcp > > state etc. Just off the top of my head..... > > > > iptables -P FORWARD DROP > > iptables -A FORWARD -p tcp --syn -m state --state NEW -j QUEUE > > iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j QUEUE > > iptables -A FORWARD -p udp -j QUEUE > > iptables -A FORWARD -p icmp -j QUEUE > > > >>Would MySQL logging be done the same way for Snort-inline as it is with > >>regular Snort? > >> > >>output database: alert, mysql, dbname=snort user=snortuser host=localhost > >>password=snortuserpassword > > > > Yes > > > > Regards, > > > > Will > > > > > > > > > > On Tue, 28 Dec 2004 10:58:28 -0500, mdpeters > > <michael.peters@lazarusalliance.com> wrote: > >> Concerning the snort-inline.conf file, are the "var" statements relevant? > >> Should I specify the network and subnet that the snort-inline box runs on? > >> > >> If I have something like this: <GATEWAY-ROUTER> connected to <FIREWALL> > >> connected to <SNORT_INLINE> connected to <NETWORK HUB OR SWITCH>. Would I > >> set the "var HOME_NET any" to "var HOME_NET nnn.nnn.nnn.nnn/xx? > >> > >> Do I need to make a startup script for IPTABLE rules or do I rely on > >> drop.rules or both? I'm inclined to think that the firewall rules will be > >> essentially duplicated with IPTABLES and the drop.rules interactively > >> supplement the IPTABLES. > >> > >> Thank you for the continued education and assistance. :) > >> > >> ----- Original Message ----- > >> From: "Will Metcalf" <william.metcalf@gmail.com> > >> To: "mdpeters" <michael.peters@lazarusalliance.com> > >> Sent: Monday, December 27, 2004 12:04 PM > >> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple questions? > >> > >> > because, you are not pulling traffic off of the bridge. You are > >> > pulling traffic out of iptables, via the QUEUE target. As far as the > >> > rules go, you need to convert alert to drop/sdrop/reject. > >> > > >> > Regards, > >> > > >> > Will > >> > > >> > > >> > On Mon, 27 Dec 2004 11:36:10 -0500, mdpeters > >> > <michael.peters@lazarusalliance.com> wrote: > >> >> One instance for both interfaces or just one like you wrote? How does it > >> >> know what interface the bridge is on? > >> >> > >> >> > >> >> ----- Original Message ----- > >> >> From: "Will Metcalf" <william.metcalf@gmail.com> > >> >> To: "mdpeters" <michael.peters@lazarusalliance.com> > >> >> Sent: Monday, December 27, 2004 11:00 AM > >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple > >> >> questions? > >> >> > >> >> > look at inline readme file under doc in your source. > >> >> > > >> >> > you were close.... > >> >> > > >> >> > /opt/snort/bin/snort-inline -Q -l /var/log/snort/ -D -c > >> >> > /opt/snort/etc/snort_inline.conf > >> >> > > >> >> > something like that... > >> >> > > >> >> > Regards, > >> >> > > >> >> > Will > >> >> > > >> >> > > >> >> > On Mon, 27 Dec 2004 09:46:33 -0500, mdpeters > >> >> > <michael.peters@lazarusalliance.com> wrote: > >> >> >> Right now I have this running: > >> >> >> > >> >> >> /opt/snort/bin/snort-inline -Q -c /opt/snort/etc/inline1.conf -i > >> >> >> eth1 -l > >> >> >> /var/log/snort-inline1 -D > >> >> >> /opt/snort/bin/snort-inline -Q -c /opt/snort/etc/inline2.conf -i > >> >> >> eth2 -l > >> >> >> /var/log/snort-inline2 -D > >> >> >> > >> >> >> I apparently do not understand how inline works. > >> >> >> > >> >> >> What would the snort-inline command be to work on a transparent bridge > >> >> >> snort-inline with iptables? > >> >> >> > >> >> >> Where can I read up? > >> >> >> > >> >> >> I appreciate your help! > >> >> >> > >> >> >> ----- Original Message ----- > >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com> > >> >> >> To: "mdpeters" <michael.peters@lazarusalliance.com> > >> >> >> Sent: Monday, December 27, 2004 8:14 AM > >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple > >> >> >> questions? > >> >> >> > >> >> >> > neither you would use the -Q switch to tell snort to read from > >> >> >> > ip_queue. Then you have to send traffic to snort with iptables with > >> >> >> > a > >> >> >> > rule like this. > >> >> >> > > >> >> >> > iptables -A FORWARD -j QUEUE > >> >> >> > > >> >> >> > > >> >> >> > On Mon, 27 Dec 2004 00:06:30 -0500, mdpeters > >> >> >> > <michael.peters@lazarusalliance.com> wrote: > >> >> >> >> Would I need to use the bridge "br0" group interface or the > >> >> >> >> individual > >> >> >> >> interfaces "eth0' and "eth1" that make up the group for the > >> >> >> >> Snort-inline > >> >> >> >> start command? > >> >> >> >> > >> >> >> >> Thanks, > >> >> >> >> Michael > >> >> >> >> > >> >> >> >> ----- Original Message ----- > >> >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com> > >> >> >> >> To: "Matt Kettler" <mkettler@evi-inc.com> > >> >> >> >> Cc: "mdpeters" <michael.peters@lazarusalliance.com>; > >> >> >> >> <snort-users@lists.sourceforge.net> > >> >> >> >> Sent: Thursday, December 23, 2004 4:43 PM > >> >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple > >> >> >> >> questions? > >> >> >> >> > >> >> >> >> > Well said, except that drop does not reset the connection. Using > >> >> >> >> > reject will drop and reset the connection. > >> >> >> >> > > >> >> >> >> > Regards, > >> >> >> >> > > >> >> >> >> > Will > >> >> >> >> > > >> >> >> >> > On Thu, 23 Dec 2004 15:21:37 -0500, Matt Kettler > >> >> >> >> > <mkettler@evi-inc.com> > >> >> >> >> > wrote: > >> >> >> >> >> At 02:04 PM 12/23/2004, mdpeters wrote: > >> >> >> >> >> >Do I need to enable ip_forwarding on for the transparent bridge > >> >> >> >> >> >to > >> >> >> >> >> >work? > >> >> >> >> >> > >> >> >> >> >> As I understand it, you explicitly MUST NOT enable > >> >> >> >> >> ip_forwarding, > >> >> >> >> >> otherwise > >> >> >> >> >> your snort-inline is a "pass all". > >> >> >> >> >> > >> >> >> >> >> > > >> >> >> >> >> >Do I need to install ebtables for inline to disrupt traffic or > >> >> >> >> >> >is > >> >> >> >> >> >iptables, libnet, and libpcap all that I might need? > >> >> >> >> >> > >> >> >> >> >> AFAIK you don't need ebtables. You do need libipq for inline > >> >> >> >> >> and > >> >> >> >> >> libnet. > >> >> >> >> >> This is how snort-inline attaches to iptables by using libipq > >> >> >> >> >> instead > >> >> >> >> >> of > >> >> >> >> >> using libpcap. > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > It is my impression that iptables just firewalls with static > >> >> >> >> >> > rules. > >> >> >> >> >> > >> >> >> >> >> On it's own, yes, but IPTables is VERY extensible via libipq.. > >> >> >> >> >> > >> >> >> >> >> That's where snort-inline comes in. Snort-inline interacts with > >> >> >> >> >> iptables. > >> >> >> >> >> It doesn't do things like create iptables rules to block > >> >> >> >> >> packets, > >> >> >> >> >> it > >> >> >> >> >> the > >> >> >> >> >> whole system becomes an iptables rule, it just happens to be a > >> >> >> >> >> rule > >> >> >> >> >> that > >> >> >> >> >> runs snort instead of some simple expression. > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > > >> >> >> >> >> >Do the snort rules running on the transparent inline snort box > >> >> >> >> >> >reset > >> >> >> >> >> >the > >> >> >> >> >> >traffic that passes through using inline? > >> >> >> >> >> > >> >> >> >> >> Depends on if you use DROP or SDROP :).. However, inline doesn't > >> >> >> >> >> JUST > >> >> >> >> >> reset > >> >> >> >> >> the traffic.. it also prevents the packet from being forwarded > >> >> >> >> >> at > >> >> >> >> >> all. > >> >> >> >> >> DROP > >> >> >> >> >> will also reset, SDROP won't. > >> >> >> >> >> > >> >> >> >> >> Snort 2.3's inline capacity is a direct port of snort-inline. > >> >> >> >> >> You > >> >> >> >> >> might > >> >> >> >> >> want to check their FAQ for other info: > >> >> >> >> >> > >> >> >> >> >> http://snort-inline.sourceforge.net/FAQ.html > >> >> >> >> >> > >> >> >> >> >> ------------------------------------------------------- > >> >> >> >> >> SF email is sponsored by - The IT Product Guide > >> >> >> >> >> Read honest & candid reviews on hundreds of IT Products from > >> >> >> >> >> real > >> >> >> >> >> users. > >> >> >> >> >> Discover which products truly live up to the hype. Start reading > >> >> >> >> >> now. > >> >> >> >> >> http://productguide.itmanagersjournal.com/ > >> >> >> >> >> _______________________________________________ > >> >> >> >> >> Snort-users mailing list > >> >> >> >> >> Snort-users@lists.sourceforge.net > >> >> >> >> >> Go to this URL to change user options or unsubscribe: > >> >> >> >> >> https://lists.sourceforge.net/lists/...fo/snort-users > >> >> >> >> >> Snort-users list archive: > >> >> >> >> >> http://www.geocrawler.com/redir-sf.p...st=snort-users > >> >> >> >> >> > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > ------------------------------------------------------- > >> >> >> >> > SF email is sponsored by - The IT Product Guide > >> >> >> >> > Read honest & candid reviews on hundreds of IT Products from real > >> >> >> >> > users. > >> >> >> >> > Discover which products truly live up to the hype. Start reading > >> >> >> >> > now. > >> >> >> >> > http://productguide.itmanagersjournal.com/ > >> >> >> >> > _______________________________________________ > >> >> >> >> > Snort-users mailing list > >> >> >> >> > Snort-users@lists.sourceforge.net > >> >> >> >> > Go to this URL to change user options or unsubscribe: > >> >> >> >> > https://lists.sourceforge.net/lists/...fo/snort-users > >> >> >> >> > Snort-users list archive: > >> >> >> >> > http://www.geocrawler.com/redir-sf.p...st=snort-users > >> >> >> >> > > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > >> >> >> > >> >> > > >> >> > >> >> > >> > > >> > >> > > > Best regards, > > Michael D. Peters > Director of Security Services > CISSP > Lazarus Alliance Inc. > M: 502-767-3448 > O: 502-231-8017 x8 > H: 502-231-6923 > F: 502-231-5347 > > michael.peters@lazarusalliance.com > www.lazarusalliance.com > > Verify here: http://wwwkeys.us.pgp.net > > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
