Home page logo
/

snort logo Snort mailing list archives

Re: Is it a bug?
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 2 Dec 2013 08:14:45 -0500

This does not sound like a bug.  You basically have Snort running from what
I can tell.  I suggest you do a little more testing and post an update to
the users list.

Some things to consider:

-- What do you mean the interfaces "hang"?  Not passing any packets as
observed from the endpoints?

-- Check Snort's shutdown stats.  Is it seeing all the packets you are
sending?  What are the verdicts?

-- Try adding config policy_mode: tap to your conf to prevent Snort from
blocking anything.  Do your results differ?

-- Stick with afpacket until you get things working.  It is much simpler to
set up than NFQ.

Russ



On Mon, Nov 25, 2013 at 2:09 AM, Ellad G. Yatsko <eyatsko () ngs ru> wrote:

Hello!

Sorry, if it is "to the wrong quarter", but I did not get any
substantial help
in "Snort Users". My question is described in details below.

Kind regards,
Ellad
Hello!

I compiled again.. :-( To restore step-by-step procedure... :-( As usual
afpacket hangs interfaces... :-(
Ubuntu 12.04.1 amd64 (under VMWare ESXi 5.2) is from scratch.

apt-get -y install build-essential libpcap0.8-dev libmysqlclient15-dev
mysql-server libc6-dev g++ gcc pcregrep libpcre3-dev iptables-dev bison
flex tshark

cd/usr/src/libdnet-1.12/
./configure "CFLAGS=-fPIC -g -O2"
make
make install

cd /usr/src/daq-2.0.1/
./configure
make
make install

cd /usr/src/snort-2.9.5.6/
./configure --enable-gre --enable-reload --enable-linux-smp-stats
--enable-zlib --enable-active-response --enable-react --enable-flexresp3
make
make install

ln -s /usr/local/lib/libdnet.1.0.1 /usr/lib/libdnet.1
ln -s /usr/local/lib/snort_dynamicpreprocessor
/usr/lib/snort_dynamicpreprocessor
ln -s /usr/local/lib/snort_dynamicengine /usr/lib/snort_dynamicengine

Then I got init.d script from neighbor Virtual Machine where I had done
apt-get install snort a minute ago and /etc/snort folder with all its
content.

scp eyatsko () 80 x x x:/etc/init.d/snort /etc/init.d/snort
scp -r eyatsko () 80 x x x:/etc/snort /etc/
chown root:root /etc/init.d/snort
chown -R root:root /etc/snort

Then I updated /etc/snort/snort.conf:
. . .
# Setup the network addresses you are protecting
ipvar HOME_NET 192.168.0.0/24

# Set up the external network addresses. Leave as "any" in most
situations
#ipvar EXTERNAL_NET any
ipvar EXTERNAL_NET !$HOME_NET
. . .

...and started snort:
snort -Q -v -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf

It got three bootp packets and hangs interfaces.

As I can observe such behaviour of Snort does not depend on
- Snort Version;
- Operation system/OS version;
- The way through Snort is installed;
- Rule set (I commented all include $RULE_PATH/* lines except
local.rules, which was empty).

What could explain this situation?

Kind regard,
Ellad Yatsko

I have checked something. I re-installed OS - changed it on Debian 7.2.0
x86 (Ubuntu 12.04.1 was amd64) and Snort. Snort, again, is of version
2.9.2 (if to be more accurate: 2.9.2.2).
All is much the same! It "hangs" interfaces after several tens of
packets and until several minutes passed after Snort execution break
down.

What could it be? I have already mentioned that I compiled Snort from
sources. Afpacket behaves similarly.

Anybody help me!... :-)


We have Ubuntu Server 12.04.1 LTS with snort 2.9.2 - both installed
from
scratch. Snort 2.9.2 distribution is native for this Ubuntu Release.

~# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
~#

Snort config and rule set both are default they come with distribution
(apt-get install ...)

IPTables has its default configuration:
~# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
~# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
~#
I tried to put some traffic into QUEUE by command like: iptables -A
INPUT -p udp -j QUQUE, but it has no effect relative to my main
problem.
I found just few cases in Internet when Snort have been started in
inline mode. And they do not abound in examples how to set up IPTables
in conjunction to Snort... :-( And, moreover, all of them differ
depending on Snort version.


After starting Snort via command-line:
~# snort -Q -vv -i eth0:eth1 --daq afpacket -c /etc/snort/snort.conf


Snort received some tens of packets (mainly my SSH session to server
with Snort), both interfaces eth0 and eth1 become unavailable from
outside (i. e. from ipvar EXTERNAL_NET !$HOME_NET  ), but I still can
ping them from server's console. Go further. When I tried to ping
something out the server's interfaces this also has no result. Nothing
is accessible via monitored interfaces.

When I break the program execution interfaces from outside and external
destinations from inside continue to be inaccessible for some time
(several minutes).

Now I have two more or less clear dilemmas:
- how to start Snort in inline mode and to avoid it hang up (main
problem);
- how to set up IPTables if it needed to daq.

Future plan relative to Snort  supposes to analyze and drop excessive
SIP-traffic ONLY (methods: REGISTER and INVITE) from certain IPs. For
example if there are many registrations per second (per ten of seconds
-
no matter). Such traffic patter must be "isolated" from SIP-registrar.
And the same history is for INVITES. Ideally, it would be perfect if
Snort can add rules to IPTables to block "rougue traffic" permanently!
:-) As a rule (by my own observations) "bad guys" sit always at the
same
IP addresses.

Please, help... :-)



------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up
now.

http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up
now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault