Re: Snort in Inline Mode on CentOS 6.3

["Okeowo, Ayo" <gadmin () cyberdrobe com>]

YM,

It's working now. I think I know why my drop wasn't working at first. I
commented out (using #) my alert rules above my new drop rules. So I was
getting the alerts but nothing was blocked as a result of that.

One thing I will like someone to clarify is this, when my snort is in
inline mode, I don't need any alert rules any more, instead I will use the
drop, activate etc rules which will still generate alerts either way,
according to Snort manual?


On Sun, Feb 10, 2013 at 12:40 PM, Y M <snort () outlook com> wrote:

>  Sorry I overlooked your verdicts:
>
> "Block:          640 (  0.008%)"
>
> Which means Snort has blocked 640 packets out all the packets Snort
> analyzed.
>
> I would start testing on more simple rules, like the icmp-protocol ping
> and then move on to more complex rules.
>
> YM
>  ------------------------------
> From: Okeowo, Ayo <gadmin () cyberdrobe com>
> Sent: 2/10/2013 8:30 PM
> To: Y M <snort () outlook com>
> Cc: Snort Users <snort-users () lists sourceforge net>
>
> Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3
>
>  No, I haven't added the switch to my command line. Let me try that and
> will let you know.
>
> On Sun, Feb 10, 2013 at 12:28 PM, Y M <snort () outlook com> wrote:
>
>  Have you tried adding --daq-mode inline in your command?
>
> YM
>  ------------------------------
> From: Okeowo, Ayo <gadmin () cyberdrobe com>
> Sent: 2/10/2013 8:12 PM
> To: Y M <snort () outlook com>; snort-users () lists sourceforge net
> Subject: Fwd: [Snort-users] Snort in Inline Mode on CentOS 6.3
>
>
>
> ---------- Forwarded message ----------
> From: *Okeowo, Ayo* <gadmin () cyberdrobe com>
> Date: Sun, Feb 10, 2013 at 12:11 PM
> Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3
> To: Y M <snort () outlook com>
>
>
> Below is what I have.
>
>
>  {Q1::Answer}
> my snort command is:-
> snort -c /etc/snort/snort.conf --daq afpacket -i eth0:eth2 -Q -A console
>
>  {Q2::Answer}
> I'm using DAQ mode: --daq afpacket
>
>  {Q3::Answer - drop rule reside in the local.rules}
> drop tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"Block Web Traffic
> from Outside"; classtype:web-application-attack; metadata:service http;
> flow:established,to_
> server; sid:1000008; rev:2;)
>
>  {Q4::Answer}
> Verdicts:
>       Allow:      8115288 ( 98.956%)
>       Block:          640 (  0.008%)
>     Replace:          252 (  0.003%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:           37 (  0.000%)
>      Ignore:            0 (  0.000%)
>
>
>  On Sun, Feb 10, 2013 at 11:54 AM, Y M <snort () outlook com> wrote:
>
>   a. How are you running Snort? In other words, what is the command you
> are using to run Snort?
>
> b. Which DAQ are you using?
>
> c. How is your drop rule setup?
>
> d. When you stop Snort, what do the verdict statistics show?
>
> Please when you send/reply do so for the whole group as there are awesome
> people here that are more experienced than I am, and other people benefit
> as well.
>
> Thanks.
> YM
>   ------------------------------
> From: Okeowo, Ayo <gadmin () cyberdrobe com>
> Sent: 2/10/2013 7:38 PM
>
> To: Y M <snort () outlook com>
> Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3
>
>      YM,
>
>  Sorry I'm just getting back to you after I posted my question. I've been
> able to add additional 1 more interface and the 2 interfaces are now
> in promiscuous mode. I've confirmed there are packets traversing the
> interfaces but my rule is not dropping any traffic request to let's say
> port 80 and 443.
>
>  What could I be possibly be missing? Still looking through though to see
> if I find anything that could be causing the issue.
>
>  Your response will be much appreciated.
>
> On Wed, Feb 6, 2013 at 10:56 AM, Y M <snort () outlook com> wrote:
>
>  It will be largely dependant on the output plugin you are using. In case
> of Snorby, although I don't use it, will eventually read from a database;
> MySQL. In this case, it is a practice to let Snort output to unified2, and
> let barnyard2 parse unfied2 logs into the database, from which Snorby will
> read data.
>
> Hope you get your setup done.
>
> YM
>  ------------------------------
> From: Okeowo, Ayo <gadmin () cyberdrobe com>
> Sent: 2/6/2013 6:43 PM
> To: Y M <snort () outlook com>
> Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3
>
>   YM,
>
> Thanks for the response. I would have never have thought of increasing my
> interfaces (virtual interfaces) to 3 to make it work. I will try that when
> I get home and let you know.
>
> So this will allow my drop and alert rules to pop-up on Snorby? Once it
> works I will then go ahead and configure preprocessor etc.
>
> And I also hope to combine my command line with --alert-before-pass switch.
>
> On Wed, Feb 6, 2013 at 10:28 AM, Y M <snort () outlook com> wrote:
>
>  You will need 3 interfaces. Two will be in transparent mode and the
> third will be used for management. When you run Snort in inline mode, you
> would use, for example: -i eth0:eth1, or the bridge if you will be using a
> bridge and eth3 for management.
>
> YM
>  ------------------------------
> From: Okeowo, Ayo <gadmin () cyberdrobe com>
> Sent: 2/6/2013 6:22 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Snort in Inline Mode on CentOS 6.3
>
>   Hello Folks,
>
> Has anyone successfully setup Snort 2.9.4 on CentOS 6.3 with functioning
> IPS(Inline Mode) using 2 interfaces (1 for sniffing traffic and 2nd for
> management)?
>
> I'm having a few issues, although I haven't sat down to address it yet due
> to my day job sucking my time. The first issue is, if I use 1 interface and
> put Snort to Inline Mode, my drop rules don't work. Second, if I use 2
> interfaces, both Alert and Drop rules cease to work and I get nothing on
> Snorby.
>
> Any insight to this issue will be appreciated. Like I said I haven't sat
> down to troubleshoot this issue but your response will help.
>
> Thanks.
> Ayo
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!