On 4/13/06, Pieter Vanmeerbeek <pieter.vanmeerbeek@able.be> wrote:
Hi
I've got a question on a stream 4 configuration. This is our setup:
All traffic from internet and dmz is routed to snort using iptables QUEUE
statement. All traffic from our router itself and all traffic from the
secure LAN is NOT routed to snort. We are using the upgradeable rule set
with all rules set to drop to have an IPS system
You have to be very careful with your iptables if you begin to get
this granular with rules. I don't care if you have enforce_state on
or not, you need to QUEUE your traffic in such a way that stream4
See's both sides of the conversation.
This worked fine, however sometimes connections were dropped without
alerting. After some research I found out that it is the stream4
preprocessor who was doing this. Adding the midstream_drop_alerts parameter
solves the problem however may expose us to snot & stick attacks.
Yeah
2 questions about this:
1. I thought a snot & stick attack was designed to bury a hacking attempt
between other useless attacks and therefore obscure the logging and possible
recognition. But in an IPS system the attack itself is logged and also
blocked. So I do not understand why this is may be a problem?
Because as an analyst I actually do detective work to actually try and
figure out what is happening in my network. Following that train of
thought snot & stick are just as successful as they ever where.
2. Apparently the problem of question 1 is not an issue if the inline_state
parameter is set. However as we do not send all traffic through snort this
will probably cause a lot of packages to be dropped? Even more general, is
there a possible state problem when only traffic from internet/dmz is routed
to snort? In other words would some rules match due to a state problem?
You do not have to send all traffic to snort but you need to QUEUE
your tcp traffic in such a way that stream4 is able to see both sides
of the conversation. If enforce_state is enabled and you are only
sending one half of the conversation to stream4, it will drop your
packets because it is only seeing one half of what it needs to, i.e.
no valid TWH etc....
Regards,
Will
Kind regards,
Pieter
--
---------------------------------------------------
aXs GUARD Training Center
more info at http://www.axsguard.com/indextraining.htm
aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
