Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions?
This is a discussion on Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions? within the Snort forums, part of the System Security and Security Related category; Just for grins try to leave the default in there and see if it still dies. if it does send ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
12-30-2004
|
|||
|
|||
Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions?
Just for grins try to leave the default in there and see if it still
dies. if it does send me a core dump. Regards, Will On Thu, 30 Dec 2004 09:50:02 -0500, mdpeters <michael.peters@lazarusalliance.com> wrote: > I am trying to set up Snort-inline. When I enable "config layer2resets:" it > dies. Do I need to include the MAC of the bridge group, in my case, > 00:04:23:AD:ED:BA to get it to reset connections with IPTABLES? > > config layer2resets: 00:04:23:AD:ED:BA > > eth0 00:04:23:AD:ED:BA > eth1 00:04:23:AD:ED:BB > br0 00:04:23:AD:ED:BA > > Also, concerning rules for Snort-inline. Do I take to rules included in the > tarball and modify the *.rules to something like this: > > drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; > itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; > classtype:attempted-recon; sid:465; rev:3;) > > or > > sdrop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; > itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; > classtype:attempted-recon; sid:465; rev:3;) > > or > > reject icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; > itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; > classtype:attempted-recon; sid:465; rev:3;) > > or > > drop icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP ISS Pinger"; > itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; > classtype:attempted-recon; sid:465; rev:3;) > > or something like these? > > Thanks, > > Michael > > ----- Original Message ----- > From: "Will Metcalf" <william.metcalf@gmail.com> > To: "Michael D. Peters" <mdpeters@lazarusalliance.com> > Cc: "mdpeters" <michael.peters@lazarusalliance.com>; > <snort-users@lists.sourceforge.net> > Sent: Tuesday, December 28, 2004 6:16 PM > Subject: [Snort-users] Re: Inline IP_Forwarding and other simple questions? > > >> What I am asking is since this uses IPTABLES, should I just set up > >> permanent > >> "firewall type" IPTABLE rules and then use the modified snort rules to > >> take > >> care of the resets, drops, etc? > > > > Yes > > > > > > On Tue, 28 Dec 2004 18:02:12 -0500, Michael D. Peters > > <mdpeters@lazarusalliance.com> wrote: > >> What I am asking is since this uses IPTABLES, should I just set up > >> permanent > >> "firewall type" IPTABLE rules and then use the modified snort rules to > >> take > >> care of the resets, drops, etc? > >> > >> > >> Will Metcalf writes: > >> > >> >> If I have something like this: <GATEWAY-ROUTER> connected to > >> >> <FIREWALL> > >> >> connected to <SNORT_INLINE> connected to <NETWORK HUB OR SWITCH>. > >> >> Would I > >> >> set the "var HOME_NET any" to "var HOME_NET nnn.nnn.nnn.nnn/xx? > >> > > >> > Yes > >> > > >> >> Do I need to make a startup script for IPTABLE rules or do I rely on > >> >> drop.rules or both? I'm inclined to think that the firewall rules will > >> >> be > >> >> essentially duplicated with IPTABLES and the drop.rules interactively > >> >> supplement the IPTABLES. > >> > > >> > I'm not really sure what you are asking for here...... Usually it is > >> > a good idea to have a couple of iptables rules to check state for tcp > >> > state etc. Just off the top of my head..... > >> > > >> > iptables -P FORWARD DROP > >> > iptables -A FORWARD -p tcp --syn -m state --state NEW -j QUEUE > >> > iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j > >> > QUEUE > >> > iptables -A FORWARD -p udp -j QUEUE > >> > iptables -A FORWARD -p icmp -j QUEUE > >> > > >> >>Would MySQL logging be done the same way for Snort-inline as it is with > >> >>regular Snort? > >> >> > >> >>output database: alert, mysql, dbname=snort user=snortuser > >> >>host=localhost > >> >>password=snortuserpassword > >> > > >> > Yes > >> > > >> > Regards, > >> > > >> > Will > >> > > >> > > >> > > >> > > >> > On Tue, 28 Dec 2004 10:58:28 -0500, mdpeters > >> > <michael.peters@lazarusalliance.com> wrote: > >> >> Concerning the snort-inline.conf file, are the "var" statements > >> >> relevant? > >> >> Should I specify the network and subnet that the snort-inline box runs > >> >> on? > >> >> > >> >> If I have something like this: <GATEWAY-ROUTER> connected to > >> >> <FIREWALL> > >> >> connected to <SNORT_INLINE> connected to <NETWORK HUB OR SWITCH>. > >> >> Would I > >> >> set the "var HOME_NET any" to "var HOME_NET nnn.nnn.nnn.nnn/xx? > >> >> > >> >> Do I need to make a startup script for IPTABLE rules or do I rely on > >> >> drop.rules or both? I'm inclined to think that the firewall rules will > >> >> be > >> >> essentially duplicated with IPTABLES and the drop.rules interactively > >> >> supplement the IPTABLES. > >> >> > >> >> Thank you for the continued education and assistance. :) > >> >> > >> >> ----- Original Message ----- > >> >> From: "Will Metcalf" <william.metcalf@gmail.com> > >> >> To: "mdpeters" <michael.peters@lazarusalliance.com> > >> >> Sent: Monday, December 27, 2004 12:04 PM > >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple > >> >> questions? > >> >> > >> >> > because, you are not pulling traffic off of the bridge. You are > >> >> > pulling traffic out of iptables, via the QUEUE target. As far as > >> >> > the > >> >> > rules go, you need to convert alert to drop/sdrop/reject. > >> >> > > >> >> > Regards, > >> >> > > >> >> > Will > >> >> > > >> >> > > >> >> > On Mon, 27 Dec 2004 11:36:10 -0500, mdpeters > >> >> > <michael.peters@lazarusalliance.com> wrote: > >> >> >> One instance for both interfaces or just one like you wrote? How > >> >> >> does it > >> >> >> know what interface the bridge is on? > >> >> >> > >> >> >> > >> >> >> ----- Original Message ----- > >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com> > >> >> >> To: "mdpeters" <michael.peters@lazarusalliance.com> > >> >> >> Sent: Monday, December 27, 2004 11:00 AM > >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple > >> >> >> questions? > >> >> >> > >> >> >> > look at inline readme file under doc in your source. > >> >> >> > > >> >> >> > you were close.... > >> >> >> > > >> >> >> > /opt/snort/bin/snort-inline -Q -l /var/log/snort/ -D -c > >> >> >> > /opt/snort/etc/snort_inline.conf > >> >> >> > > >> >> >> > something like that... > >> >> >> > > >> >> >> > Regards, > >> >> >> > > >> >> >> > Will > >> >> >> > > >> >> >> > > >> >> >> > On Mon, 27 Dec 2004 09:46:33 -0500, mdpeters > >> >> >> > <michael.peters@lazarusalliance.com> wrote: > >> >> >> >> Right now I have this running: > >> >> >> >> > >> >> >> >> /opt/snort/bin/snort-inline -Q -c /opt/snort/etc/inline1.conf -i > >> >> >> >> eth1 -l > >> >> >> >> /var/log/snort-inline1 -D > >> >> >> >> /opt/snort/bin/snort-inline -Q -c /opt/snort/etc/inline2.conf -i > >> >> >> >> eth2 -l > >> >> >> >> /var/log/snort-inline2 -D > >> >> >> >> > >> >> >> >> I apparently do not understand how inline works. > >> >> >> >> > >> >> >> >> What would the snort-inline command be to work on a transparent > >> >> >> >> bridge > >> >> >> >> snort-inline with iptables? > >> >> >> >> > >> >> >> >> Where can I read up? > >> >> >> >> > >> >> >> >> I appreciate your help! > >> >> >> >> > >> >> >> >> ----- Original Message ----- > >> >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com> > >> >> >> >> To: "mdpeters" <michael.peters@lazarusalliance.com> > >> >> >> >> Sent: Monday, December 27, 2004 8:14 AM > >> >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple > >> >> >> >> questions? > >> >> >> >> > >> >> >> >> > neither you would use the -Q switch to tell snort to read from > >> >> >> >> > ip_queue. Then you have to send traffic to snort with > >> >> >> >> > iptables with > >> >> >> >> > a > >> >> >> >> > rule like this. > >> >> >> >> > > >> >> >> >> > iptables -A FORWARD -j QUEUE > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > On Mon, 27 Dec 2004 00:06:30 -0500, mdpeters > >> >> >> >> > <michael.peters@lazarusalliance.com> wrote: > >> >> >> >> >> Would I need to use the bridge "br0" group interface or the > >> >> >> >> >> individual > >> >> >> >> >> interfaces "eth0' and "eth1" that make up the group for the > >> >> >> >> >> Snort-inline > >> >> >> >> >> start command? > >> >> >> >> >> > >> >> >> >> >> Thanks, > >> >> >> >> >> Michael > >> >> >> >> >> > >> >> >> >> >> ----- Original Message ----- > >> >> >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com> > >> >> >> >> >> To: "Matt Kettler" <mkettler@evi-inc.com> > >> >> >> >> >> Cc: "mdpeters" <michael.peters@lazarusalliance.com>; > >> >> >> >> >> <snort-users@lists.sourceforge.net> > >> >> >> >> >> Sent: Thursday, December 23, 2004 4:43 PM > >> >> >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other > >> >> >> >> >> simple > >> >> >> >> >> questions? > >> >> >> >> >> > >> >> >> >> >> > Well said, except that drop does not reset the connection. > >> >> >> >> >> > Using > >> >> >> >> >> > reject will drop and reset the connection. > >> >> >> >> >> > > >> >> >> >> >> > Regards, > >> >> >> >> >> > > >> >> >> >> >> > Will > >> >> >> >> >> > > >> >> >> >> >> > On Thu, 23 Dec 2004 15:21:37 -0500, Matt Kettler > >> >> >> >> >> > <mkettler@evi-inc.com> > >> >> >> >> >> > wrote: > >> >> >> >> >> >> At 02:04 PM 12/23/2004, mdpeters wrote: > >> >> >> >> >> >> >Do I need to enable ip_forwarding on for the transparent > >> >> >> >> >> >> >bridge > >> >> >> >> >> >> >to > >> >> >> >> >> >> >work? > >> >> >> >> >> >> > >> >> >> >> >> >> As I understand it, you explicitly MUST NOT enable > >> >> >> >> >> >> ip_forwarding, > >> >> >> >> >> >> otherwise > >> >> >> >> >> >> your snort-inline is a "pass all". > >> >> >> >> >> >> > >> >> >> >> >> >> > > >> >> >> >> >> >> >Do I need to install ebtables for inline to disrupt > >> >> >> >> >> >> >traffic or > >> >> >> >> >> >> >is > >> >> >> >> >> >> >iptables, libnet, and libpcap all that I might need? > >> >> >> >> >> >> > >> >> >> >> >> >> AFAIK you don't need ebtables. You do need libipq for > >> >> >> >> >> >> inline > >> >> >> >> >> >> and > >> >> >> >> >> >> libnet. > >> >> >> >> >> >> This is how snort-inline attaches to iptables by using > >> >> >> >> >> >> libipq > >> >> >> >> >> >> instead > >> >> >> >> >> >> of > >> >> >> >> >> >> using libpcap. > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > It is my impression that iptables just firewalls with > >> >> >> >> >> >> > static > >> >> >> >> >> >> > rules. > >> >> >> >> >> >> > >> >> >> >> >> >> On it's own, yes, but IPTables is VERY extensible via > >> >> >> >> >> >> libipq.. > >> >> >> >> >> >> > >> >> >> >> >> >> That's where snort-inline comes in. Snort-inline interacts > >> >> >> >> >> >> with > >> >> >> >> >> >> iptables. > >> >> >> >> >> >> It doesn't do things like create iptables rules to block > >> >> >> >> >> >> packets, > >> >> >> >> >> >> it > >> >> >> >> >> >> the > >> >> >> >> >> >> whole system becomes an iptables rule, it just happens to > >> >> >> >> >> >> be a > >> >> >> >> >> >> rule > >> >> >> >> >> >> that > >> >> >> >> >> >> runs snort instead of some simple expression. > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > > >> >> >> >> >> >> >Do the snort rules running on the transparent inline > >> >> >> >> >> >> >snort box > >> >> >> >> >> >> >reset > >> >> >> >> >> >> >the > >> >> >> >> >> >> >traffic that passes through using inline? > >> >> >> >> >> >> > >> >> >> >> >> >> Depends on if you use DROP or SDROP :).. However, inline > >> >> >> >> >> >> doesn't > >> >> >> >> >> >> JUST > >> >> >> >> >> >> reset > >> >> >> >> >> >> the traffic.. it also prevents the packet from being > >> >> >> >> >> >> forwarded > >> >> >> >> >> >> at > >> >> >> >> >> >> all. > >> >> >> >> >> >> DROP > >> >> >> >> >> >> will also reset, SDROP won't. > >> >> >> >> >> >> > >> >> >> >> >> >> Snort 2.3's inline capacity is a direct port of > >> >> >> >> >> >> snort-inline. > >> >> >> >> >> >> You > >> >> >> >> >> >> might > >> >> >> >> >> >> want to check their FAQ for other info: > >> >> >> >> >> >> > >> >> >> >> >> >> http://snort-inline.sourceforge.net/FAQ.html > >> >> >> >> >> >> > >> >> >> >> >> >> ------------------------------------------------------- > >> >> >> >> >> >> SF email is sponsored by - The IT Product Guide > >> >> >> >> >> >> Read honest & candid reviews on hundreds of IT Products > >> >> >> >> >> >> from > >> >> >> >> >> >> real > >> >> >> >> >> >> users. > >> >> >> >> >> >> Discover which products truly live up to the hype. Start > >> >> >> >> >> >> reading > >> >> >> >> >> >> now. > >> >> >> >> >> >> http://productguide.itmanagersjournal.com/ > >> >> >> >> >> >> _______________________________________________ > >> >> >> >> >> >> Snort-users mailing list > >> >> >> >> >> >> Snort-users@lists.sourceforge.net > >> >> >> >> >> >> Go to this URL to change user options or unsubscribe: > >> >> >> >> >> >> https://lists.sourceforge.net/lists/...fo/snort-users > >> >> >> >> >> >> Snort-users list archive: > >> >> >> >> >> >> http://www.geocrawler.com/redir-sf.p...st=snort-users > >> >> >> >> >> >> > >> >> >> >> >> > > >> >> >> >> >> > > >> >> >> >> >> > ------------------------------------------------------- > >> >> >> >> >> > SF email is sponsored by - The IT Product Guide > >> >> >> >> >> > Read honest & candid reviews on hundreds of IT Products > >> >> >> >> >> > from real > >> >> >> >> >> > users. > >> >> >> >> >> > Discover which products truly live up to the hype. Start > >> >> >> >> >> > reading > >> >> >> >> >> > now. > >> >> >> >> >> > http://productguide.itmanagersjournal.com/ > >> >> >> >> >> > _______________________________________________ > >> >> >> >> >> > Snort-users mailing list > >> >> >> >> >> > Snort-users@lists.sourceforge.net > >> >> >> >> >> > Go to this URL to change user options or unsubscribe: > >> >> >> >> >> > https://lists.sourceforge.net/lists/...fo/snort-users > >> >> >> >> >> > Snort-users list archive: > >> >> >> >> >> > http://www.geocrawler.com/redir-sf.p...st=snort-users > >> >> >> >> >> > > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> > > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > >> >> >> > >> >> > > >> >> > >> >> > >> > >> > >> Best regards, > >> > >> Michael D. Peters > >> Director of Security Services > >> CISSP > >> Lazarus Alliance Inc. > >> M: 502-767-3448 > >> O: 502-231-8017 x8 > >> H: 502-231-6923 > >> F: 502-231-5347 > >> > >> michael.peters@lazarusalliance.com > >> www.lazarusalliance.com > >> > >> Verify here: http://wwwkeys.us.pgp.net > >> > >> > > > > > > ------------------------------------------------------- > > SF email is sponsored by - The IT Product Guide > > Read honest & candid reviews on hundreds of IT Products from real users. > > Discover which products truly live up to the hype. Start reading now. > > http://productguide.itmanagersjournal.com/ > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or unsubscribe: > > https://lists.sourceforge.net/lists/...fo/snort-users > > Snort-users list archive: > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > > ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
