Re: Some Snort beginner questions

["Joel Esler (jesler)" <jesler () cisco com>]

You can put all your deny statements in iptables before you put your queue statements. 

--
Joel Esler
iPhone

> On Oct 31, 2014, at 17:40, Jim Garrison <jhg () jhmg net> wrote:
>
> I have a Centos 6.5 web server configured with a very restrictive
> iptables setup (8 incoming tcp ports open, 0 udp).  I'm a fairly
> experienced Linux admin but haven't looked at Snort in at least 7 or 8
> years (wow, has it changed since then!), since I use iptables to
> present a tiny attack surface to the Internet.  However, installing
> PHP/Wordpress has prompted me to add Snort to my toolkit.
>
> I recently built and installed Snort from source and have been testing
> it with the command line:
>
> snort --enable-inline-test -c /etc/snort/snort.conf -b -A fast
>
> I have three questions:
>
> 1) I am getting very few alerts, which I expected due to the small
>   exposed surface, but find that the alerts that do get logged are on
>   ports that are not open in iptables.  I therefore guess that Snort
>   is seeing the packets either before or at the same time as
>   (independent of) iptables.  Is this correct?
>
> 2) Is there a way to set things up so Snort sees only packets that are
>   not blocked by iptables?  I don't want to replace iptables with
>   Snort. I'd rather use iptables as a perimeter defense and Snort
>   to scan traffic for application layer exploits.
>
> 3) A couple of alerts I am seeing occasionally are:
>
>      10/31-19:49:40.592851  [**] [1:31136:1]
>      MALWARE-CNC Win.Trojan.ZeroAccess inbound communication [**]
>      [Classification: A Network Trojan was Detected]
>      [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464
>
>      10/31-19:49:40.592851  [**] [1:23493:5]
>      MALWARE-CNC Win.Trojan.ZeroAccess outbound communication [**]
>      [Classification: A Network Trojan was Detected]
>      [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464
>
>   The arrow points from the foreign IP to my IP in both cases, but
>   one says "inbound" and one says "outbound", which seems to
>   conflict.  When I examine the binary log file in Wireshark both
>   packets are shown as incoming, supporting the arrow and indicating
>   the "outbound" designation may be incorrect, or I don't understand
>   how the word "outbound" is being used here.  Is this a bug?
>
> -- 
> Jim Garrison (jhg () acm org)
> PGP Keys at http://www.jhmg.net RSA 0x04B73B7F DH 0x70738D88
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!