Menu
▾
▴
Re: [Snort-inline-users] Basic Questions
|
From: Cliff M. <cl...@un...> - 2004-06-30 18:23:54
|
Thanks for the tip, When i try -j -QUEUE. I recieve the error no such=20 chain/rule by that name. I can see the module loaded using insmod. Do I=20= need to set up a new rule for this? On Jun 30, 2004, at 11:12 AM, William Metcalf wrote: > Here is an e-mail I sent to the list a while ago regarding using=20 > snort_inline in NAT mode, There is an overabundance of QUEUE=20 > statements, but it will give you some idea of what to do. > > > > It shouldn"t be all that difficult, If you already have a nat=20 > firewall, > just change the target in your rules from -j ACCEPT to -j QUEUE.=20 > =A0Using the > QUEUE target snort-inline will look at the traffic. =A0If it is good = it=20 > will > pass it, if it is bad it will drop it. =A0Or let"s assume that you = have=20 > a > linux box with two interfaces and you want it to be an ips router.=20 > =A0Lets > also assume that eth0 is int of the network you want to protect and=20= > eth1 is > the interface you have plugged into an untrusted network (cable modem > etc.....) =A0Something like the iptables script below should suffice. = =A0I > might have some redundant QUEUE targets, but I wrote and tested this=20= > in > fifteen minutes. =A0It was dropping bad traffic like a champ. =A0I = didn"t > include any icmp statements, so if you want ping you will have to add=20= > it > yourself. > > iptables -F INPUT > iptables -F FORWARD > iptables -F OUTPUT > iptables -t nat -F PREROUTING > iptables -t nat -F POSTROUTING > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > # Enable IP forwarding > echo "1" > /proc/sys/net/ipv4/ip_forward > echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route > echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects > echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects > echo "1" > /proc/sys/net/ipv4/tcp_syncookies > #INPUT > #Let firewall talk to itself > iptables -A INPUT -i lo -m state --state NEW -j ACCEPT > #Allow traffic initiated from this box back in and check for = nastiness > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j QUEUE > #Set up the FORWARD table for NAT > iptables -A FORWARD -i eth0 -o eth1 -j QUEUE > iptables -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j=20= > QUEUE > #Setup the NAT rule > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE > > Regards, > > Will > > > <image.tiff>Cliff Massey <cl...@un...> > > > > > Cliff Massey <cl...@un...> > Sent by: sno...@li... > > 06/30/2004 01:04 PM > > <image.tiff> > > To > <image.tiff> > Rob McMillen <ro...@ho...> > > <image.tiff> > > cc > <image.tiff> > sno...@li... > > <image.tiff> > > Subject > <image.tiff> > Re: [Snort-inline-users] Basic Questions > > <image.tiff><image.tiff> > I'm using Fedora Core 2. As far as sending packets to snort_inline, > that I'm not quite sure how to do. I read the README, but it really > doesn't explain the inline part too well.. What is the best way to do > that? With a QUEUE chain? > > =A0Cliff > > On Jun 30, 2004, at 5:18 AM, Rob McMillen wrote: > > > What linux distro are you using? =A0How are you sending packets to > > snort_inline? > > > > Rob > > > > On Wed, 30 Jun 2004, Cliff Massey wrote: > > > >> Date: Wed, 30 Jun 2004 00:35:51 -0700 > >> From: Cliff Massey <cl...@un...> > >> To: sno...@li... > >> Subject: [Snort-inline-users] Basic Questions > >> > >> > >> =A0 Hi, > >> > >> =A0 I was wondering if it is possible to get snort_inline to work=20= > with > >> my > >> current configuration. I'm using the linux 2.6 kernel & iptables=20= > with > >> a > >> basic nat setup between two interfaces. =A0I can pickup alerts = when > >> running it in sniffer mode, although I can't when running in ids=20= > mode. > >> The ip_queue module is loading correctly as I don't receive an=20 > error > >> when using the -Q option. > >> > >> =A0 Any help would be appreciated. > >> > >> =A0 Cliff Massey > >> > >> > >> > >> > >> ------------------------------------------------------- > >> This SF.Net email sponsored by Black Hat Briefings & Training. > >> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > >> digital self defense, top technical experts, no vendor pitches, > >> unmatched networking opportunities. Visit www.blackhat.com > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
