Menu
▾
▴
Re: [Snort-inline-users] command line options
|
From: Rob M. <rv...@ca...> - 2003-05-06 22:50:00
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 6 May 2003, danh wrote:
> Hi people,
>
> I am using snort_inline 2.0.0 and it all appears to be functioning
> normally (I have iptables set up with the "-j QUEUE" target for all
> incoming traffic on port 80, without snort_inline running I get no
> connections, with it running my web server sees the requests) but after
> extensive testing I can confirm that it is letting through sequences
> that "normal" snort will alert on.
Can you give some examples of the sequences that are getting through?
What rules are you using? As far as the
behavior with the QUEUE and no snort_inline running, it is ip_queue's
default behavior to drop packets if no process (snort_inline in our case)
is not listening to the queue.
Also, please download the latest snort_inline-2.0.0-1.
> There are a few things that I have noticed that may have a bearing.
>
> When I used to run normal snort, I started it with the "-i ppp0" command
> line option, as that is my external interface. I also had the line "var
> HOME_NET [10.0.0.0/8,$ppp0_ADDRESS]" in my conf file. This does not
> appear to work for snort_inline. I get an error about undefined variables.
snort_inline does not get its packets from an interface therefore, the -i
flag will not do much good. Instead, snort_inline gets its packet from
the firewall. So if you want to control where snort_inline gets its
packets, you have to divert them with the use of -j QUEUE. For example,
if I want all of my inbound packets to tcp port 80 on my ppp0 interface to
go through snort_inline, I would use the following iptables rule:
iptables -A INPUT -i ppp0 -p tcp --dport 80 -m state --state
NEW,RELATED,ESTABLISHED -j QUEUE
Use connection tracking (state) because it makes iptables reassemble all
fragments before it passes them on.
> Also when I start up normal snort, during initialisation it reports 1331
> rules active etc.. However, snort_inline says 0 rules activated BUT it
> does appear to be applying rules (it caught a WEB-IIS cmd.exe attack).
hmm. I don't get the same results.
[root@Jiggy src]# ./snort_inline -Qc
/etc/snort_inline/snort_inline.new.conf
Reading from iptables
Running in IDS mode
Log directory = /var/log/snort
Initializing Inline mode
--== Initializing Snort ==--
Initializing Output Plugins!
Setting the Packet Processor to decode packets from iptables
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort_inline/snort_inline.new.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
http_decode arguments:
Unicode decoding
IIS alternate Unicode decoding
IIS double encoding vuln
Flip backslash to slash
Include additional whitespace separators
Ports to decode http on: 80
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
telnet_decode arguments:
Ports to decode telnet on: 21 23 25 119
Conversation Config:
KeepStats: 0
Conv Count: 32000
Timeout : 60
Alert Odd?: 0
Allowed IP Protocols: All
1369 Snort rules read...
1369 Option Chains linked into 113 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
Rule application order:
- ->activation->dynamic->drop->sdrop->reject->alert->pass->log
--== Initialization Complete ==--
*******************
snort_inline-2.0.0-1
*******************
a modification of ...
- -*> Snort! <*-
Version 2.0.0 (Build 72)
By Martin Roesch (ro...@so..., www.snort.org)
> The reason I am using snort_inline is that I am trying to get a true
> count of web site hits, but I am getting so many "code red" attempts it
> is distorting the figures. So I was trying to drop the connections
> before they even get to the web server. I know that there are issues
> with detecting code red attacks (no established flag etc) but I can
> handle that.
Cool! and thanks for the feedback.
Rob
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76
iQA/AwUBPrg76/nAyY+9KLjdEQKg0QCgmB/HVkyY8MQ97KvvrHVuGbsqbrIAnipc
MOz0JB2jIP91svUjKZ9nnTis
=Jg53
-----END PGP SIGNATURE-----
|
