Menu
▾
▴
Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: Geffrey V. [MINAG] <gve...@mi...> - 2004-07-01 20:29:19
|
> On Thursday 01 July 2004 21:56, Geffrey Velasquez [MINAG] wrote: > > Excelent! your script always have on top the ESTABLISHED and RELATED > > states. I would like to see your frontend. > > It's not yet released, i'm in the process of registering a project > with sourceforge. I think after my holiday i release it... 1 month > or so? Excellent, I need to do something like this... (web based) maybe I could help or grab some code from your proyect (if it is GPLd). > > Another question (I'm new), I was testing with an Apache behind an > > Iptables/Snort Inline Firewall, only with web-*.rules activated and trigger > > some cgi attacks, the attempt is droped, but the Apache web server dont > > knows that the connection was dropped and maybe could lead in DOS attack. > > How are you considering this case? > > I' not sure if the entire connection is dropped or just the > dangerous packets... (i'm also new to snort_inline ;-) Maybe you > could use reject for this? Only bad packets, it seems, but is still possible a DOS attack, for example worms like the well remembered NIMDA and RED CODE. Reading the documentation, snort_inline: drop, reject and sdrop tells iptables to DROP the packet, only reset send TCP reset (maybe using flexresp)... but I dont test it yet. Also the conection must be releases form the connection state table under DOS attacks... > Regards, > Victor > > > > > > > > > Regards, > > Geffrey Velásquez > > > > > > ---------- Original Message ----------- > > From: Victor Julien <vi...@nk...> > > To: sno...@li... > > Sent: Thu, 1 Jul 2004 21:33:25 +0200 > > Subject: Re: [Snort-inline-users] using snort_inline for selected traffic > > only (was: help with setting up iptables for use with snort_inline) > > > > > Good question. Not much i think. :-) > > > > > > The reason i do it like this, is that the iptables frontend i'm > > > writing creates the ESTABLISHED,RELATED first, and then based on a > > > rulesfile the specific individual rules. So then i have only two > > > RELATED,ESTABLISHED rules per chain (on top of course) for optimal > > > performance. The frontend then dynamicly creates mangle, nat and > > > filterrules. > > > > > > The way you do it i would have to create an ESTABLISHED,RELATED for > > > every service/rule i want to QUEUE. > > > > > > But for this example you are absolutely right! > > > > > > Regards, > > > Victor > > > > > > Updated example: > > > > > > Question: I want to handle only selected traffic with snort_inline > > > > > > Answer: > > > Say you want only stmp traffic to be handled by snort_inline, but > > > not pop3. > > > > > > # the ESTABLISHED,RELATED for smtp > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp - > > > -dport 25 -j QUEUE > > > # the ESTABLISHED,RELATED for the rest > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > > > # the initial rules > > > iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > > > iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEPT > > > > > > Question: I can now handle selected traffic, but i'm having troubles > > > with protocols witch use protocol handlers in iptables, like ftp. > > > > > > Answer: for this you need the 'helper' module. Say you want only ftp > > > traffic to be handled by snort_inline, but not http. > > > > > > # the ESTABLISHED,RELATED for the helper ftp > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m helper -- > > > helper "ftp" -j QUEUE > > > # the ESTABLISHED,RELATED for ftp connection on port 21 > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -- > > > dport 21 -j QUEUE > > > # the ESTABLISHED,RELATED for the rest > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > > > iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE > > > iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT > > > > > > The difference here is helper module which makes sure that the > > > connections that are handled by the ftp conntrack helper are also > > > send to the queue. > > > > > > On Thursday 01 July 2004 21:14, Geffrey Velasquez [MINAG] wrote: > > > > Hi Victor, and what is the difference with this?: > > > > > > > > 1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp > > > > --dport 25 -j QUEUE > > > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > 3. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > > > > 4. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCEP > > > > > > > > > > > > Saludos, > > > > Geffrey Velásquez > > > > Cel.: 9722-2705 > > > > > > > > ---------- Original Message ----------- > > > > From: Victor Julien <vi...@nk...> > > > > To: sno...@li... > > > > Sent: Thu, 1 Jul 2004 19:53:28 +0200 > > > > Subject: [Snort-inline-users] using snort_inline for selected traffic > > > > only (was: help with setting up iptables for use with snort_inline) > > > > > > > > > Hi list, > > > > > > > > > > I found the answer to my question (with the kind help of Antony > > > > > Stone of the Netfilter list). I'd like share it with you so others > > > > > can use it as well. I've written it in the snort_inline faq format, > > > > > so if you think it's usefull please include it in you're faq! > > > > > > > > > > Regards, > > > > > Victor > > > > > > > > > > Question: I want to handle only selected traffic with snort_inline > > > > > > > > > > Answer: You can the MARK target in iptables for this. Say you want > > > > > only stmp traffic to be handled by snort_inline, but not pop3. > > > > > > > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set- > > > > > mark 0x1 > > > > > > > > > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > > > > > -mark 0x1 -j QUEUE > > > > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > > > > > > > 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j > > > > > QUEUE 5. iptables -A FORWARD -p tcp --dport 110 -m state --state NEW > > > > > -j ACCEPT > > > > > > > > > > Pop3 traffic is now first accepted in rule 5, and after that handled > > > > > by rule > > > > > 3. > > > > > > > > > > The smtp traffic is now first QUEUE'd by rule 4, after that marked > > > > > in rule 1 so it can be picked up by the 2nd rule. > > > > > > > > > > Question: I can now handle selected traffic, but i'm having troubles > > > > > with protocols witch use protocol handlers in iptables, like ftp. > > > > > > > > > > Answer: for this you need the 'helper' module. Say you want only ftp > > > > > traffic to be handled by snort_inline, but not http. > > > > > > > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set- > > > > > mark 0x1 > > > > > 2. iptables -t mangle -A FORWARD -m helper --helper "ftp" -j MARK -- > > > > > set-mark 0x1 > > > > > > > > > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m mark - > > > > > -mark 0x1 -j QUEUE > > > > > 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > > > > > > > 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j > > > > > QUEUE 6. iptables -A FORWARD -p tcp --dport 80 -m state --state NEW > > > > > -j ACCEPT > > > > > > > > > > The difference here is the second rule which makes sure that the > > > > > connections that are handled by the ftp conntrack helper are also > > > > > send to the queue. > > > > > > > > > > ------------------------------------------------------- > > > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > > > digital self defense, top technical experts, no vendor pitches, > > > > > unmatched networking opportunities. Visit www.blackhat.com > > > > > _______________________________________________ > > > > > Snort-inline-users mailing list > > > > > Sno...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > ------- End of Original Message ------- > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > digital self defense, top technical experts, no vendor pitches, > > > unmatched networking opportunities. Visit www.blackhat.com > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > ------- End of Original Message ------- > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users ------- End of Original Message ------- |
