Re: Odp: Re: Odp: Re: Snort inline with Squid

[James Lay <jlay () slave-tothe-box net>]

On 2015-04-27 07:50 AM, Robert Lasota wrote:
> Dnia Niedziela, 26 Kwietnia 2015 21:37 James Lay
> <jlay () slave-tothe-box net> napisał(a)
>
> > So ok...this was fun and weird at the same time. Here's the setup,
> > which, though not routing, should get you there. So here's the
> > setup:
> >
> > Workstation (192.168.1.2) <switch> Router/Bridge (192.168.1.9, two
> > NIC's bridged to br0) <(crossover cable> (we'll pretend it's the
> > Internet) (192.168.1.73).
> >
> > 192.168.1.9 is running snort and squid, squid listening on
> > http_port 3128 and https_port 3129. 192.168.1.73 is running apache
> > listening on ports 80 and 443. Snort line:
> > sudo snort -Q -A cmg -c snort/snort.conf --daq nfq --daq-mode
> > inline --daq-var device=br0 --daq-var queue=1 -k none
> >
> > snort rule (in local.rules, the only ruleset enabled):
> > drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
> > content:"index"; http_uri; sid:1000003; rev:1;)
> >
> > The below magic combination work:
> > sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
> > sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1
> > sudo iptables -t nat -A PREROUTING -i br0 -s 192.168.1.2 -p tcp
> > --dport 80 -j REDIRECT --to-port 3128
> >
> > [09:20:22 iMac:~$] wget http://192.168.1.73/index [1]
> > --2015-04-26 09:20:41-- http://192.168.1.73/index [1]
> > Connecting to 192.168.1.73:80... connected.
> > HTTP request sent, awaiting response... ^C
> >
> > Apr 26 09:20:44 analysis squid: 192.168.1.2 - -
> > [26/Apr/2015:09:20:44 -0600] "GET http://192.168.1.73/index
> > HTTP/1.1" 0 0 TCP_MISS_ABORTED:ORIGINAL_DST - - -
> >
> > 04/26-09:20:42.843965 [Drop] [**] [1:1000003:1] HTTP Traffic Index
> > Get [**] [Priority: 0] {TCP} 192.168.1.9:43256 -> 192.168.1.73:80
> > Stream reassembled packet
> > 04/26-09:20:42.843965 192.168.1.9:43256 -> 192.168.1.73:80
> > TCP TTL:64 TOS:0x0 ID:14977 IpLen:20 DgmLen:277 DF
> > ***A**** Seq: 0xF8747E23 Ack: 0x127ADA9C Win: 0x7580 TcpLen: 32
> > 47 45 54 20 2F 69 6E 64 65 78 20 48 54 54 50 2F GET /index HTTP/
> > 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 1.1..User-Agent:
> >
> > Yet choosing something other than index gets the expected results:
> >
> > [09:20:43 iMac:~$] wget http://192.168.1.73/bleh [2]
> > --2015-04-26 09:22:05-- http://192.168.1.73/bleh [2]
> > Connecting to 192.168.1.73:80... connected.
> > HTTP request sent, awaiting response... 404 Not Found
> > 2015-04-26 09:22:05 ERROR 404: Not Found.
> >
> > Apr 26 09:22:06 analysis squid: 192.168.1.2 - -
> > [26/Apr/2015:09:22:06 -0600] "GET http://192.168.1.73/bleh [2]
> > HTTP/1.1" 404 543 TCP_MISS:ORIGINAL_DST - - -
> >
> > I tested other combinations, but none of them worked. Whey the
> > above combo of mangle PREROUTING AND OUTPUT works I haven't a clue.
> > The above will pipe ALL traffic through snort...if that's not what
> > you want just specify the port as you'd like. What I like about the
> > above is the fact that it runs snort hybrid, so rules with drop will
> > drop, rules with alert will only alert. This will also keep most
> > firewall rules intact as the mangle table works before your standard
> > "filter" tables. Hope that helps.
> >
> > James
>
> First, big thanks for your engagement and work.
>
> Second, unfortunately for now we can't use bridge interface in out
> router so I don't have even ability to test it. I tried your
> suggestions apply just on eth0 insted of br0 but not work ;) . We can
> set that if we'll decide to use br0 I'll write here what results we
> had.
>
> Once again thank you for help
>
> Regards , Robert

Hi Robert,

Yea...br0 won't work for you as you're not bridging.  That being said, 
as these:

sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1

are interface independent, they should work across the board.  I would 
try this first:
sudo snort -Q -A cmg -c snort/snort.conf --daq nfq --daq-mode inline 
--daq-var device=eth0:eth1 --daq-var queue=1 -k none <- run that in a 
console and see the results
sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1

Then run your tests with snort to see if that's working.  Once you 
verify that, then give your squid redirect a go:
sudo iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp 
--dport 80 -j REDIRECT --to-port 3128

The above all assumes that eth0 is your internal NIC serving your 
internal network of 192.168.1.0/24, so you'll want to change these if 
that's not the case.  I've still got my dev box up as I have some squid 
work still to do...next step for me will be to test this via routed.  
Let me know your results if you have a chance and care to...I'll work 
this from my end as well.

James


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!