Menu
▾
▴
Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: Victor J. <vi...@nk...> - 2004-07-01 20:06:57
|
On Thursday 01 July 2004 21:56, Geffrey Velasquez [MINAG] wrote: > Excelent! your script always have on top the ESTABLISHED and RELATED > states. I would like to see your frontend. It's not yet released, i'm in the process of registering a project with=20 sourceforge. I think after my holiday i release it... 1 month or so? > Another question (I'm new), I was testing with an Apache behind an > Iptables/Snort Inline Firewall, only with web-*.rules activated and trigg= er > some cgi attacks, the attempt is droped, but the Apache web server dont > knows that the connection was dropped and maybe could lead in DOS attack. > How are you considering this case? I' not sure if the entire connection is dropped or just the dangerous=20 packets... (i'm also new to snort_inline ;-) Maybe you could use reject for= =20 this? Regards, Victor > > > > Regards, > Geffrey Vel=E1squez > > > ---------- Original Message ----------- > From: Victor Julien <vi...@nk...> > To: sno...@li... > Sent: Thu, 1 Jul 2004 21:33:25 +0200 > Subject: Re: [Snort-inline-users] using snort_inline for selected traffic > only (was: help with setting up iptables for use with snort_inline) > > > Good question. Not much i think. :-) > > > > The reason i do it like this, is that the iptables frontend i'm > > writing creates the ESTABLISHED,RELATED first, and then based on a > > rulesfile the specific individual rules. So then i have only two > > RELATED,ESTABLISHED rules per chain (on top of course) for optimal > > performance. The frontend then dynamicly creates mangle, nat and > > filterrules. > > > > The way you do it i would have to create an ESTABLISHED,RELATED for > > every service/rule i want to QUEUE. > > > > But for this example you are absolutely right! > > > > Regards, > > Victor > > > > Updated example: > > > > Question: I want to handle only selected traffic with snort_inline > > > > Answer: > > Say you want only stmp traffic to be handled by snort_inline, but > > not pop3. > > > > # the ESTABLISHED,RELATED for smtp > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp - > > -dport 25 -j QUEUE > > # the ESTABLISHED,RELATED for the rest > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # the initial rules > > iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > > iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT > > > > Question: I can now handle selected traffic, but i'm having troubles > > with protocols witch use protocol handlers in iptables, like ftp. > > > > Answer: for this you need the 'helper' module. Say you want only ftp > > traffic to be handled by snort_inline, but not http. > > > > # the ESTABLISHED,RELATED for the helper ftp > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m helper -- > > helper "ftp" -j QUEUE > > # the ESTABLISHED,RELATED for ftp connection on port 21 > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -- > > dport 21 -j QUEUE > > # the ESTABLISHED,RELATED for the rest > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE > > iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT > > > > The difference here is helper module which makes sure that the > > connections that are handled by the ftp conntrack helper are also > > send to the queue. > > > > On Thursday 01 July 2004 21:14, Geffrey Velasquez [MINAG] wrote: > > > Hi Victor, and what is the difference with this?: > > > > > > 1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp > > > --dport 25 -j QUEUE > > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > 3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > > > 4. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACC= EP > > > > > > > > > Saludos, > > > Geffrey Vel=E1squez > > > Cel.: 9722-2705 > > > > > > ---------- Original Message ----------- > > > From: Victor Julien <vi...@nk...> > > > To: sno...@li... > > > Sent: Thu, 1 Jul 2004 19:53:28 +0200 > > > Subject: [Snort-inline-users] using snort_inline for selected traffic > > > only (was: help with setting up iptables for use with snort_inline) > > > > > > > Hi list, > > > > > > > > I found the answer to my question (with the kind help of Antony > > > > Stone of the Netfilter list). I'd like share it with you so others > > > > can use it as well. I've written it in the snort_inline faq format, > > > > so if you think it's usefull please include it in you're faq! > > > > > > > > Regards, > > > > Victor > > > > > > > > Question: I want to handle only selected traffic with snort_inline > > > > > > > > Answer: You can the MARK target in iptables for this. Say you want > > > > only stmp traffic to be handled by snort_inline, but not pop3. > > > > > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set- > > > > mark 0x1 > > > > > > > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark= - > > > > -mark 0x1 -j QUEUE > > > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCE= PT > > > > > > > > 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j > > > > QUEUE 5. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW > > > > -j ACCEPT > > > > > > > > Pop3 traffic is now first accepted in rule 5, and after that handled > > > > by rule > > > > 3. > > > > > > > > The smtp traffic is now first QUEUE'd by rule 4, after that marked > > > > in rule 1 so it can be picked up by the 2nd rule. > > > > > > > > Question: I can now handle selected traffic, but i'm having troubles > > > > with protocols witch use protocol handlers in iptables, like ftp. > > > > > > > > Answer: for this you need the 'helper' module. Say you want only ftp > > > > traffic to be handled by snort_inline, but not http. > > > > > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set- > > > > mark 0x1 > > > > 2. iptables -t mangle -A FORWARD -m helper --helper "ftp" -j MARK = =2D- > > > > set-mark 0x1 > > > > > > > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark= - > > > > -mark 0x1 -j QUEUE > > > > 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCE= PT > > > > > > > > 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j > > > > QUEUE 6. iptables -A FORWARD -p tcp --dport 80 -m state --state NEW > > > > -j ACCEPT > > > > > > > > The difference here is the second rule which makes sure that the > > > > connections that are handled by the ftp conntrack helper are also > > > > send to the queue. > > > > > > > > ------------------------------------------------------- > > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > > digital self defense, top technical experts, no vendor pitches, > > > > unmatched networking opportunities. Visit www.blackhat.com > > > > _______________________________________________ > > > > Snort-inline-users mailing list > > > > Sno...@li... > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > ------- End of Original Message ------- > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------- End of Original Message ------- > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
