Menu
▾
▴
Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: Geffrey V. [MINAG] <gve...@mi...> - 2004-07-01 19:56:52
|
Excelent! your script always have on top the ESTABLISHED and RELATED states. I would like to see your frontend. Another question (I'm new), I was testing with an Apache behind an Iptables/Snort Inline Firewall, only with web-*.rules activated and trigger some cgi attacks, the attempt is droped, but the Apache web server dont knows that the connection was dropped and maybe could lead in DOS attack. How are you considering this case? Regards, Geffrey Velásquez ---------- Original Message ----------- From: Victor Julien <vi...@nk...> To: sno...@li... Sent: Thu, 1 Jul 2004 21:33:25 +0200 Subject: Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline) > Good question. Not much i think. :-) > > The reason i do it like this, is that the iptables frontend i'm > writing creates the ESTABLISHED,RELATED first, and then based on a > rulesfile the specific individual rules. So then i have only two > RELATED,ESTABLISHED rules per chain (on top of course) for optimal > performance. The frontend then dynamicly creates mangle, nat and filterrules. > > The way you do it i would have to create an ESTABLISHED,RELATED for > every service/rule i want to QUEUE. > > But for this example you are absolutely right! > > Regards, > Victor > > Updated example: > > Question: I want to handle only selected traffic with snort_inline > > Answer: > Say you want only stmp traffic to be handled by snort_inline, but > not pop3. > > # the ESTABLISHED,RELATED for smtp > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp - > -dport 25 -j QUEUE > # the ESTABLISHED,RELATED for the rest > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > # the initial rules > iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT > > Question: I can now handle selected traffic, but i'm having troubles > with protocols witch use protocol handlers in iptables, like ftp. > > Answer: for this you need the 'helper' module. Say you want only ftp > traffic to be handled by snort_inline, but not http. > > # the ESTABLISHED,RELATED for the helper ftp > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m helper -- > helper "ftp" -j QUEUE > # the ESTABLISHED,RELATED for ftp connection on port 21 > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -- > dport 21 -j QUEUE > # the ESTABLISHED,RELATED for the rest > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE > iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT > > The difference here is helper module which makes sure that the > connections that are handled by the ftp conntrack helper are also > send to the queue. > > On Thursday 01 July 2004 21:14, Geffrey Velasquez [MINAG] wrote: > > Hi Victor, and what is the difference with this?: > > > > 1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp --dport > > 25 -j QUEUE > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > 3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > > 4. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEP > > > > > > Saludos, > > Geffrey Velásquez > > Cel.: 9722-2705 > > > > ---------- Original Message ----------- > > From: Victor Julien <vi...@nk...> > > To: sno...@li... > > Sent: Thu, 1 Jul 2004 19:53:28 +0200 > > Subject: [Snort-inline-users] using snort_inline for selected traffic only > > (was: help with setting up iptables for use with snort_inline) > > > > > Hi list, > > > > > > I found the answer to my question (with the kind help of Antony > > > Stone of the Netfilter list). I'd like share it with you so others > > > can use it as well. I've written it in the snort_inline faq format, > > > so if you think it's usefull please include it in you're faq! > > > > > > Regards, > > > Victor > > > > > > Question: I want to handle only selected traffic with snort_inline > > > > > > Answer: You can the MARK target in iptables for this. Say you want > > > only stmp traffic to be handled by snort_inline, but not pop3. > > > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set- > > > mark 0x1 > > > > > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > > > -mark 0x1 -j QUEUE > > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > > > 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > > > 5. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT > > > > > > Pop3 traffic is now first accepted in rule 5, and after that handled > > > by rule > > > 3. > > > > > > The smtp traffic is now first QUEUE'd by rule 4, after that marked > > > in rule 1 so it can be picked up by the 2nd rule. > > > > > > Question: I can now handle selected traffic, but i'm having troubles > > > with protocols witch use protocol handlers in iptables, like ftp. > > > > > > Answer: for this you need the 'helper' module. Say you want only ftp > > > traffic to be handled by snort_inline, but not http. > > > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set- > > > mark 0x1 > > > 2. iptables -t mangle -A FORWARD -m helper --helper "ftp" -j MARK -- > > > set-mark 0x1 > > > > > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > > > -mark 0x1 -j QUEUE > > > 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > > > 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE > > > 6. iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT > > > > > > The difference here is the second rule which makes sure that the > > > connections that are handled by the ftp conntrack helper are also > > > send to the queue. > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > digital self defense, top technical experts, no vendor pitches, > > > unmatched networking opportunities. Visit www.blackhat.com > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > ------- End of Original Message ------- > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users ------- End of Original Message ------- |
