Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPS options

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 06 Mar 2014 05:57:23 -0700
On Thu, 2014-03-06 at 12:36 +0000, Russ Combs (rucombs) wrote:

Looks like your iptables rule specifies tcp, so the icmp rule won't
fire because Snort isn't getting icmp traffic. 



Check Snort's shutdown counts to see if it is getting the traffic you
want.  You may want to change your iptables rules.



______________________________________________________________________

From: Y M [snort () outlook com]
Sent: Thursday, March 06, 2014 7:31 AM
To: snort-users
Subject: Re: [Snort-users] IPS options




 


______________________________________________________________________
From: jlay () slave-tothe-box net
To: snort-users () lists sourceforge net
Date: Thu, 6 Mar 2014 05:15:31 -0700
Subject: Re: [Snort-users] IPS options

On Thu, 2014-03-06 at 06:26 +0000, Y M wrote: 

        As far as I know, signatures with "alert" keyword should still
        work as usual when running Snort inline. Only those signatures
        marked with "drop" will be dropped, the rest , i.e.: "alert"
        signatures, should only alert as normal, at least when using
        the afpacket DAQ. I wouldn't imagine the behavior is different
        for NFQ, but I never tested it.
         
        We have two sensors running inline (afpacket), and although
        they do not contain "alert" signatures at the moment, they
        worked as expected during testing in regards to running
         "alert" and "drop" signatures at the same time. 
         
        YM.
          
        > To: snort-users () lists sourceforge net
        > Date: Wed, 5 Mar 2014 16:46:45 -0700
        > From: jlay () slave-tothe-box net
        > Subject: [Snort-users] IPS options
        > 
        > Hey all,
        > 
        > So....looking at changing a current Snort IDS to IPS...I've
        gotten some 
        > good feedback, but wanted to post here as well. The setup is
        a linux 
        > box with two nics already bridged. I'm need to just IPS a
        certain 
        > protocol/port combination, and still alert as usual on
        everything else. 
        > I looked at DAQ NFQ, but found that after getting that to
        work, other 
        > alerts stopped. So what are my options for this? I read
        through the 
        > daq doc and whatnot, but wanted opinions here as well.
        Thanks for any 
        > insight.
        > 
        > James


Thanks YM and waldo...here's what I've tested:

iptables -I INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
snort/snort.conf

rules:
drop tcp any any -> any 80 (msg:"Test 80"; sid:10000053;)
alert icmp any any -> any any (msg:"Ping test"; sid:10000054;)

testing:
[05:09:22 jlay@James:~$] telnet analysis 80
Trying 192.168.1.6...
^C
[05:09:31 jlay@James:~$] ping analysis
PING analysis (192.168.1.6) 56(84) bytes of data.
64 bytes from analysis (192.168.1.6): icmp_seq=1 ttl=64 time=0.176 ms

results:
03/06-05:09:28.544877  [Drop] [**] [1:10000053:0] Test 80 [**]
[Priority: 0] {TCP} 192.168.1.2:34392 -> 192.168.1.6:80

So...looks like this method no workie.  What daq mode are you using
YM?
 
--daq afpacket --daq-mode inline 


Thank you.

James 



Ah....ok thanks Russ....last question then.  If I already have a bridge
setup between eth0 and eth1, will afpacket -i eth0:eth1 still do the
dropping?  I think I'll be doing this method if that's the case, since
every packet is traversing the bridge anyway.  And thanks YM, that
helps.

James

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: