Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions?

from [mdpeters] Network Security [Permanent Link]
Subject: Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions?
Date: Thu, 30 Dec 2004 09:50:02 -0500
I am trying to set up Snort-inline. When I enable "config layer2resets:" it dies. Do I need to include the MAC of the bridge group, in my case, 00:04:23:AD:ED:BA to get it to reset connections with IPTABLES?

config layer2resets: 00:04:23:AD:ED:BA

eth0 00:04:23:AD:ED:BA
eth1 00:04:23:AD:ED:BB
br0  00:04:23:AD:ED:BA

Also, concerning rules for Snort-inline. Do I take to rules included in the tarball and modify the *.rules to something like this:

drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)

or

sdrop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)

or

reject icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)

or

drop icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)

or something like these?

Thanks,

Michael


----- Original Message ----- From: "Will Metcalf" <william.metcalf@gmail.com>
To: "Michael D. Peters" <mdpeters@lazarusalliance.com>
Cc: "mdpeters" <michael.peters@lazarusalliance.com>; <snort-users@lists.sourceforge.net>
Sent: Tuesday, December 28, 2004 6:16 PM
Subject: [Snort-users] Re: Inline IP_Forwarding and other simple questions?


What I am asking is since this uses IPTABLES, should I just set up permanent
"firewall type" IPTABLE rules and then use the modified snort rules to take
care of the resets, drops, etc? 

Yes


On Tue, 28 Dec 2004 18:02:12 -0500, Michael D. Peters
<mdpeters@lazarusalliance.com> wrote:
What I am asking is since this uses IPTABLES, should I just set up permanent
"firewall type" IPTABLE rules and then use the modified snort rules to take
care of the resets, drops, etc?


Will Metcalf writes:

>> If I have something like this: <GATEWAY-ROUTER> connected to >> <FIREWALL>
>> connected to <SNORT_INLINE> connected to <NETWORK HUB OR SWITCH>. >> Would I
>> set the "var HOME_NET any" to "var HOME_NET nnn.nnn.nnn.nnn/xx?
>
> Yes
>
>> Do I need to make a startup script for IPTABLE rules or do I rely on
>> drop.rules or both? I'm inclined to think that the firewall rules will >> be
>> essentially duplicated with IPTABLES and the drop.rules interactively
>> supplement the IPTABLES.
>
> I'm not really sure what you are asking for here...... Usually it is
> a good idea to have a couple of iptables rules to check state for tcp
> state etc. Just off the top of my head.....
>
> iptables -P FORWARD DROP
> iptables -A FORWARD -p tcp --syn -m state --state NEW -j QUEUE
> iptables -A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j > QUEUE
> iptables -A FORWARD -p udp -j QUEUE
> iptables -A FORWARD -p icmp -j QUEUE
>
>>Would MySQL logging be done the same way for Snort-inline as it is with
>>regular Snort?
>>
>>output database: alert, mysql, dbname=snort user=snortuser >>host=localhost
>>password=snortuserpassword
>
> Yes
>
> Regards,
>
> Will
>
>
>
>
> On Tue, 28 Dec 2004 10:58:28 -0500, mdpeters
> <michael.peters@lazarusalliance.com> wrote:
>> Concerning the snort-inline.conf file, are the "var" statements >> relevant?
>> Should I specify the network and subnet that the snort-inline box runs >> on?
>>
>> If I have something like this: <GATEWAY-ROUTER> connected to >> <FIREWALL>
>> connected to <SNORT_INLINE> connected to <NETWORK HUB OR SWITCH>. >> Would I
>> set the "var HOME_NET any" to "var HOME_NET nnn.nnn.nnn.nnn/xx?
>>
>> Do I need to make a startup script for IPTABLE rules or do I rely on
>> drop.rules or both? I'm inclined to think that the firewall rules will >> be
>> essentially duplicated with IPTABLES and the drop.rules interactively
>> supplement the IPTABLES.
>>
>> Thank you for the continued education and assistance. :)
>>
>> ----- Original Message -----
>> From: "Will Metcalf" <william.metcalf@gmail.com>
>> To: "mdpeters" <michael.peters@lazarusalliance.com>
>> Sent: Monday, December 27, 2004 12:04 PM
>> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple >> questions?
>>
>> > because, you are not pulling traffic off of the bridge. You are
>> > pulling traffic out of iptables, via the QUEUE target. As far as >> > the
>> > rules go, you need to convert alert to drop/sdrop/reject.
>> >
>> > Regards,
>> >
>> > Will
>> >
>> >
>> > On Mon, 27 Dec 2004 11:36:10 -0500, mdpeters
>> > <michael.peters@lazarusalliance.com> wrote:
>> >> One instance for both interfaces or just one like you wrote? How >> >> does it
>> >> know what interface the bridge is on?
>> >>
>> >>
>> >> ----- Original Message -----
>> >> From: "Will Metcalf" <william.metcalf@gmail.com>
>> >> To: "mdpeters" <michael.peters@lazarusalliance.com>
>> >> Sent: Monday, December 27, 2004 11:00 AM
>> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple
>> >> questions?
>> >>
>> >> > look at inline readme file under doc in your source.
>> >> >
>> >> > you were close....
>> >> >
>> >> > /opt/snort/bin/snort-inline -Q -l /var/log/snort/ -D -c
>> >> > /opt/snort/etc/snort_inline.conf
>> >> >
>> >> > something like that...
>> >> >
>> >> > Regards,
>> >> >
>> >> > Will
>> >> >
>> >> >
>> >> > On Mon, 27 Dec 2004 09:46:33 -0500, mdpeters
>> >> > <michael.peters@lazarusalliance.com> wrote:
>> >> >> Right now I have this running:
>> >> >>
>> >> >> /opt/snort/bin/snort-inline -Q -c /opt/snort/etc/inline1.conf -i
>> >> >> eth1 -l
>> >> >> /var/log/snort-inline1 -D
>> >> >> /opt/snort/bin/snort-inline -Q -c /opt/snort/etc/inline2.conf -i
>> >> >> eth2 -l
>> >> >> /var/log/snort-inline2 -D
>> >> >>
>> >> >> I apparently do not understand how inline works.
>> >> >>
>> >> >> What would the snort-inline command be to work on a transparent >> >> >> bridge
>> >> >> snort-inline with iptables?
>> >> >>
>> >> >> Where can I read up?
>> >> >>
>> >> >> I appreciate your help!
>> >> >>
>> >> >> ----- Original Message -----
>> >> >> From: "Will Metcalf" <william.metcalf@gmail.com>
>> >> >> To: "mdpeters" <michael.peters@lazarusalliance.com>
>> >> >> Sent: Monday, December 27, 2004 8:14 AM
>> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other simple
>> >> >> questions?
>> >> >>
>> >> >> > neither you would use the -Q switch to tell snort to read from
>> >> >> > ip_queue. Then you have to send traffic to snort with >> >> >> > iptables with
>> >> >> > a
>> >> >> > rule like this.
>> >> >> >
>> >> >> > iptables -A FORWARD -j QUEUE
>> >> >> >
>> >> >> >
>> >> >> > On Mon, 27 Dec 2004 00:06:30 -0500, mdpeters
>> >> >> > <michael.peters@lazarusalliance.com> wrote:
>> >> >> >> Would I need to use the bridge "br0" group interface or the
>> >> >> >> individual
>> >> >> >> interfaces "eth0' and "eth1" that make up the group for the
>> >> >> >> Snort-inline
>> >> >> >> start command?
>> >> >> >>
>> >> >> >> Thanks,
>> >> >> >> Michael
>> >> >> >>
>> >> >> >> ----- Original Message -----
>> >> >> >> From: "Will Metcalf" <william.metcalf@gmail.com>
>> >> >> >> To: "Matt Kettler" <mkettler@evi-inc.com>
>> >> >> >> Cc: "mdpeters" <michael.peters@lazarusalliance.com>;
>> >> >> >> <snort-users@lists.sourceforge.net>
>> >> >> >> Sent: Thursday, December 23, 2004 4:43 PM
>> >> >> >> Subject: Re: [Snort-users] Inline IP_Forwarding and other >> >> >> >> simple
>> >> >> >> questions?
>> >> >> >>
>> >> >> >> > Well said, except that drop does not reset the connection. >> >> >> >> > Using
>> >> >> >> > reject will drop and reset the connection.
>> >> >> >> >
>> >> >> >> > Regards,
>> >> >> >> >
>> >> >> >> > Will
>> >> >> >> >
>> >> >> >> > On Thu, 23 Dec 2004 15:21:37 -0500, Matt Kettler
>> >> >> >> > <mkettler@evi-inc.com>
>> >> >> >> > wrote:
>> >> >> >> >> At 02:04 PM 12/23/2004, mdpeters wrote:
>> >> >> >> >> >Do I need to enable ip_forwarding on for the transparent >> >> >> >> >> >bridge
>> >> >> >> >> >to
>> >> >> >> >> >work?
>> >> >> >> >>
>> >> >> >> >> As I understand it, you explicitly MUST NOT enable
>> >> >> >> >> ip_forwarding,
>> >> >> >> >> otherwise
>> >> >> >> >> your snort-inline is a "pass all".
>> >> >> >> >>
>> >> >> >> >> >
>> >> >> >> >> >Do I need to install ebtables for inline to disrupt >> >> >> >> >> >traffic or
>> >> >> >> >> >is
>> >> >> >> >> >iptables, libnet, and libpcap all that I might need?
>> >> >> >> >>
>> >> >> >> >> AFAIK you don't need ebtables. You do need libipq for >> >> >> >> >> inline
>> >> >> >> >> and
>> >> >> >> >> libnet.
>> >> >> >> >> This is how snort-inline attaches to iptables by using >> >> >> >> >> libipq
>> >> >> >> >> instead
>> >> >> >> >> of
>> >> >> >> >> using libpcap.
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> > It is my impression that iptables just firewalls with >> >> >> >> >> > static
>> >> >> >> >> > rules.
>> >> >> >> >>
>> >> >> >> >> On it's own, yes, but IPTables is VERY extensible via >> >> >> >> >> libipq..
>> >> >> >> >>
>> >> >> >> >> That's where snort-inline comes in. Snort-inline interacts >> >> >> >> >> with
>> >> >> >> >> iptables.
>> >> >> >> >> It doesn't do things like create iptables rules to block
>> >> >> >> >> packets,
>> >> >> >> >> it
>> >> >> >> >> the
>> >> >> >> >> whole system becomes an iptables rule, it just happens to >> >> >> >> >> be a
>> >> >> >> >> rule
>> >> >> >> >> that
>> >> >> >> >> runs snort instead of some simple expression.
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> >
>> >> >> >> >> >Do the snort rules running on the transparent inline >> >> >> >> >> >snort box
>> >> >> >> >> >reset
>> >> >> >> >> >the
>> >> >> >> >> >traffic that passes through using inline?
>> >> >> >> >>
>> >> >> >> >> Depends on if you use DROP or SDROP :).. However, inline >> >> >> >> >> doesn't
>> >> >> >> >> JUST
>> >> >> >> >> reset
>> >> >> >> >> the traffic.. it also prevents the packet from being >> >> >> >> >> forwarded
>> >> >> >> >> at
>> >> >> >> >> all.
>> >> >> >> >> DROP
>> >> >> >> >> will also reset, SDROP won't.
>> >> >> >> >>
>> >> >> >> >> Snort 2.3's inline capacity is a direct port of >> >> >> >> >> snort-inline.
>> >> >> >> >> You
>> >> >> >> >> might
>> >> >> >> >> want to check their FAQ for other info:
>> >> >> >> >>
>> >> >> >> >> http://snort-inline.sourceforge.net/FAQ.html
>> >> >> >> >>
>> >> >> >> >> -------------------------------------------------------
>> >> >> >> >> SF email is sponsored by - The IT Product Guide
>> >> >> >> >> Read honest & candid reviews on hundreds of IT Products >> >> >> >> >> from
>> >> >> >> >> real
>> >> >> >> >> users.
>> >> >> >> >> Discover which products truly live up to the hype. Start >> >> >> >> >> reading
>> >> >> >> >> now.
>> >> >> >> >> http://productguide.itmanagersjournal.com/
>> >> >> >> >> _______________________________________________
>> >> >> >> >> Snort-users mailing list
>> >> >> >> >> Snort-users@lists.sourceforge.net
>> >> >> >> >> Go to this URL to change user options or unsubscribe:
>> >> >> >> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> >> >> Snort-users list archive:
>> >> >> >> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >> >> >>
>> >> >> >> >
>> >> >> >> >
>> >> >> >> > -------------------------------------------------------
>> >> >> >> > SF email is sponsored by - The IT Product Guide
>> >> >> >> > Read honest & candid reviews on hundreds of IT Products >> >> >> >> > from real
>> >> >> >> > users.
>> >> >> >> > Discover which products truly live up to the hype. Start >> >> >> >> > reading
>> >> >> >> > now.
>> >> >> >> > http://productguide.itmanagersjournal.com/
>> >> >> >> > _______________________________________________
>> >> >> >> > Snort-users mailing list
>> >> >> >> > Snort-users@lists.sourceforge.net
>> >> >> >> > Go to this URL to change user options or unsubscribe:
>> >> >> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> >> >> > Snort-users list archive:
>> >> >> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >> >> >> >
>> >> >> >>
>> >> >> >>
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >
>>
>>


Best regards,

Michael D. Peters
Director of Security Services
CISSP
Lazarus Alliance Inc.
M: 502-767-3448
O: 502-231-8017 x8
H: 502-231-6923
F: 502-231-5347

michael.peters@lazarusalliance.com
www.lazarusalliance.com

Verify here: http://wwwkeys.us.pgp.net




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Re: Snort failed to install using Phil Woods' shared memory ring buffer libpcap, Steve Smith
Next by Date:  [Snort-users] Snort2.3 installation problems., George Laiacona
Previous by Thread:  [Snort-users] Re: Inline IP_Forwarding and other simple questions?, Will Metcalf
Next by Thread:  Re: [Snort-users] Re: Inline IP_Forwarding and other simple questions?, Will Metcalf
Indexes:  [Date] [Thread] [Top] [All Lists]