Snort mailing list archives

Re: trouble with online mode

From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 14 Dec 2014 12:48:12 -0700



On Sat, 2014-12-13 at 16:02 -0500, Sec_Aficionado wrote:


---- quoted message follows ----
Ah....yea that's the issue. With --daq-mode inline snort will create
it's own bridge (that you have no control over). This type of
deployment works really well as having snort on it's own machine
inline such as: (Internet) <-> (SnortIPS) <-> (LinuxRouter) <->
(Switch) I think you and I were in the same boat where we had a linux
router that we wanted to put IPS on. You can use the nfq daq
functionality like so:


snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1
-c /usr/local/etc/snort/snort.conf /sbin/iptables -t nat -I PREROUTING
-j NFQUEUE --queue-num 1 or /sbin/iptables -I INPUT -j NFQUEUE
--queue-num 1 


But I'm going to be honest...I never got nfq to work well. There's a
thread on the list that talks heavily about this, but in a nutshell as
soon as a packet hits the snort queue, it is either dropped as an IPS
hit, or accepted and sent along, which means any iptables rules AFTER
the snort queue rule are not referenced, so be warned and make sure to
nmap the external IP after you make the changes. It really seems like
the IPS functionality is more suited for the IPS on it's own dedicated
machine and not integrated into a router. My two cents :) James


---- end of quoted message ---- 


James,


I wonder if you ever got this setup to work. I found the following
suggestions in a suricata configuration guide. They use FORWARD
instead of INPUT. I have to do some reading before I test this but I'd
like to know if you have any advice.


I would really like to get snort to work as an IPS in a
firewall/router box, rather than in a separate machine.


Thanks!


The following is an excerpt
from: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux


There is also a way to use iptables with multiple networks (and
interface cards). Example:



sudo iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE
sudo iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE


The options -i (input) -o (output) can be combined with all previous
mentioned options

If you would stop Suricata and use internet, the traffic will not come
through. To make internet work correctly, you have to erase all
iptable rules.


Sent from my mobile
Any weird stuff is autocorrect's fault



HI Again,

So...after spending about four hours on this, I think I have actually
got this to work as expected.  Keep in mind this is JUST on the FORWARD
table, and was tested on a bridged instance, but I'm betting this will
work just fine on a routed instance as well.  In a nutshell, the secret
is mangle in the FORWARD table.  My test setup was a server,
192.168.1.171, connected via crossover cable to another linux machine
with two NICs, and bridging the NICs.  The last bit is my attacking
machine, 192.168.1.70.  Setup below:

sudo snort -Q -A console --daq nfq --daq-var device=br0 --daq-var
queue=1 -c /opt/etc/snort/snort.conf -k none

rule:
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
content:"index"; http_uri; sid:1000003; rev:1;)

#!/bin/bash
IPTABLES=/sbin/iptables
INTIF="eth1"
BRIF="br0"
EXTIF="eth0"

You can change the default  FORWARD from ACCEPT to drop like so, -P
FORWARD DROP, but I wasn't able to get firewall logs doing that, so
instead I set to ACCEPT, then add the log and drop below:
$IPTABLES -F
$IPTABLES -F -t raw
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -F -t filter
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t mangle -A FORWARD -j NFQUEUE --queue-num 1
$IPTABLES -A FORWARD -d 192.168.1.171 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -i br0 -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
$IPTABLES -A FORWARD -i br0 -m conntrack --ctstate NEW -d 192.168.1.171
-j LOG
$IPTABLES -A FORWARD -i br0 -m conntrack --ctstate NEW -d 192.168.1.171
-j DROP

And the results..first listening ports:
[09:34:44 powerbook:~$ sudo netstat -lpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address
State       PID/Program name
tcp        0      0 0.0.0.0:901             0.0.0.0:*
LISTEN      2447/inetd      
tcp        0      0 0.0.0.0:139             0.0.0.0:*
LISTEN      2556/smbd       
tcp        0      0 0.0.0.0:111             0.0.0.0:*
LISTEN      1718/rpcbind    
tcp        0      0 0.0.0.0:22              0.0.0.0:*
LISTEN      2909/sshd       
tcp        0      0 0.0.0.0:25              0.0.0.0:*
LISTEN      2825/master     
tcp        0      0 0.0.0.0:56187           0.0.0.0:*
LISTEN      1755/rpc.statd  
tcp        0      0 0.0.0.0:445             0.0.0.0:*
LISTEN      2556/smbd       
tcp6       0      0 :::139                  :::*
LISTEN      2556/smbd       
tcp6       0      0 :::111                  :::*
LISTEN      1718/rpcbind    
tcp6       0      0 :::80                   :::*
LISTEN      2168/apache2    
tcp6       0      0 :::48402                :::*
LISTEN      1755/rpc.statd  
tcp6       0      0 :::22                   :::*
LISTEN      2909/sshd       
tcp6       0      0 :::25                   :::*
LISTEN      2825/master     
tcp6       0      0 :::445                  :::*
LISTEN      2556/smbd       

Nmap results:
Nmap scan report for 192.168.1.171
Host is up (0.00051s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE
80/tcp open  http

Snort results:
root@kali:~# wget http://192.168.1.171/index.html
--2014-12-14 02:36:11--  http://192.168.1.171/index.html
Connecting to 192.168.1.171:80... connected.
HTTP request sent, awaiting response... 

12/14-09:36:12.712270  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.70:59301 -> 192.168.1.171:80

root@kali:~# wget http://192.168.1.171/other.html
--2014-12-14 02:36:48--  http://192.168.1.171/other.html
Connecting to 192.168.1.171:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 177 [text/html]
Saving to: `other.html.5'

100%[============================================================>] 177
--.-K/s   in 0s      

2014-12-14 02:36:48 (12.0 MB/s) - `other.html' saved [177/177]

Give that a go.

James

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: trouble with online mode Sec_Aficionado (Dec 13)
- Re: trouble with online mode James Lay (Dec 14)
  - Re: trouble with online mode Sec_Aficionado (Dec 15)