Re: Snort running inline but not functioning as IPS

[Y M <snort () outlook com>]

>  From: Robin Kipp <mlists () robin-kipp net>
>  Sent: Wednesday, January 27, 2016 2:52 PM


> >  Am 27.01.2016 um 10:46 schrieb Y M <snort () outlook com>:

>  Actually, that’s rather unlikely… It was pretty late at night where I am when I sent that Email, so I forgot to 
> mention that I was doing some tests when Snort was back up and running with the security and balanced policies. I 
> pinged some of the > blacklisted  IP >addresses that Snort is using, something which would always trigger alerts when 
> no ips_policy was present. I then also used a remote vserver to run vulnerability scans over the internet, using 
> OpenVAS, Nexpose and Nmap. Finally, I  even started 2 virtual  >machines on my network, one running Windows XP and the 
> other running an old Ubuntu release, both with vulnerable software. I opened up the vulnerable ports to the internet 
> using my router, but only allowed connections from my remote vserver to those >ports.  Next I used Metasploit to 
> exploit various SMB and Apache2 web application vulnerabilities, all that worked fine complete with launching a 
> Meterpreter reverse shell and all that. So, while I never really tested all that with Snort in IDS mode, I’m sure that 
> at >least one of those actions should have resulted in an alert and a drop action, but really nothing happened...

Okay, got it.
  
> Thanks for that suggestion! I set the ips_policy to security, then reprocessed rules and restarted Snort without 
> seeing any alerts. However, after making the change to enablesid.conf that you suggested, I am now seeing loads and 
> loads of „misc activity“ alerts  in Snort! Here are the stats I got from pulledpork after reprocessing rules:

> Rule Stats...
> New:-------0
> Deleted:---0
> Enabled Rules:----27951
> Dropped Rules:----0
> Disabled Rules:---0
> Total Rules:------27951
> IP Blacklist Stats...
> Total IPs:——19242
> I’m using pulledpork 0.7.2 btw, previously (before starting from scratch) I was using 0.7.1.
> Here’s a question though, if I previously set ips_policy to security, shouldn’t there be more ‚dropped rules‘? Or does 
> the number of dropped rules in those stats really just count the rules that were explicitly dropped in dropsid.conf? 

The ips_policy (connectivity, balanced, security, max) determines the base ruleset, i.e.: number of rules in that 
policy, that will eventually be enabled, based on this blog post: 
http://blog.snort.org/2013/10/snort-vrt-default-ruleset-rebalancing.html. The ips_policy does not change signatures' 
action from "alert" to "drop". You have to specify which signatures need to have the "drop" action in your 
dropsid.conf. What you are referring to may be supported in the commercial offering, but I am not sure of that.

> Nope, all the pings, vulnerability scans and even vulnerability exploitations went through without any Snort 
> interference.

 Does your custom ICMP rule has ips_policy metadata, i.e.: "metadata: security-policy ips" or "balanced -ips drop" ? 
The previous line means that this particular rule is now treated as a member of the security/balanced ips_policy. If 
the signature has no such metadata, then it will not be picked up by PulledPork when you specify the ips_policy, unless 
you have your rule explicitly defined in the enablesid.conf

> I currently don’t have anything in my dropsid.conf except for the commented lines that are in there by default. As 
> far as I understood, the dropsid.conf is only there if the user wants to drop rules explicitly, but doesn’t need to 
> be modified to take the ips_policy  into > account… Is that correct? 

Please see my comment above. At this point, I would ask to provide sanitized pulledpork.conf and snort.conf and the 
command you use to run Snort with. Also, disable all of the rules and just focus on getting your ICMP rule to work as 
expected then expand.

> Many thanks for your help!
> Best regards,
> Robin    
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!