Menu
▾
▴
Re: [Snort-inline-users] using snort_inline for selected traffic only (was: help with setting up iptables for use with snort_inline)
|
From: Victor J. <vi...@nk...> - 2004-07-02 12:44:15
|
On Thursday 01 July 2004 22:28, Geffrey Velasquez [MINAG] wrote: > > On Thursday 01 July 2004 21:56, Geffrey Velasquez [MINAG] wrote: > > > Excelent! your script always have on top the ESTABLISHED and RELATED > > > states. I would like to see your frontend. > > > > It's not yet released, i'm in the process of registering a project > > with sourceforge. I think after my holiday i release it... 1 month > > or so? > > Excellent, I need to do something like this... (web based) maybe I could > help or grab some code from your proyect (if it is GPLd). It's not webbased... it is basicly split in two... a middle piece which=20 converts humanly readably rules to iptables rules and a frontend in ncurses= =2E=20 I am now writing a networkserver and a friend is writing a graphical =20 java-client, so it can be administered from windoze... > > > > Another question (I'm new), I was testing with an Apache behind an > > > Iptables/Snort Inline Firewall, only with web-*.rules activated and > > > trigger some cgi attacks, the attempt is droped, but the Apache web > > > server dont knows that the connection was dropped and maybe could lead > > > in DOS attack. How are you considering this case? > > > > I' not sure if the entire connection is dropped or just the > > dangerous packets... (i'm also new to snort_inline ;-) Maybe you > > could use reject for this? > > Only bad packets, it seems, but is still possible a DOS attack, for examp= le > worms like the well remembered NIMDA and RED CODE. > > Reading the documentation, snort_inline: drop, reject and sdrop tells > iptables to DROP the packet, only reset send TCP reset (maybe using > flexresp)... but I dont test it yet. > Also the conection must be releases form the connection state table under > DOS attacks... I think that if snort_inline tells iptables that it has dropped or rejected= a=20 connection it will be removed from the state table as well. But 'm not=20 sure... Regards, Victor > > > Regards, > > Victor > > > > > Regards, > > > Geffrey Vel=E1squez > > > > > > > > > ---------- Original Message ----------- > > > From: Victor Julien <vi...@nk...> > > > To: sno...@li... > > > Sent: Thu, 1 Jul 2004 21:33:25 +0200 > > > Subject: Re: [Snort-inline-users] using snort_inline for selected > > > traffic only (was: help with setting up iptables for use with > > > snort_inline) > > > > > > > Good question. Not much i think. :-) > > > > > > > > The reason i do it like this, is that the iptables frontend i'm > > > > writing creates the ESTABLISHED,RELATED first, and then based on a > > > > rulesfile the specific individual rules. So then i have only two > > > > RELATED,ESTABLISHED rules per chain (on top of course) for optimal > > > > performance. The frontend then dynamicly creates mangle, nat and > > > > filterrules. > > > > > > > > The way you do it i would have to create an ESTABLISHED,RELATED for > > > > every service/rule i want to QUEUE. > > > > > > > > But for this example you are absolutely right! > > > > > > > > Regards, > > > > Victor > > > > > > > > Updated example: > > > > > > > > Question: I want to handle only selected traffic with snort_inline > > > > > > > > Answer: > > > > Say you want only stmp traffic to be handled by snort_inline, but > > > > not pop3. > > > > > > > > # the ESTABLISHED,RELATED for smtp > > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp - > > > > -dport 25 -j QUEUE > > > > # the ESTABLISHED,RELATED for the rest > > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > > > > > # the initial rules > > > > iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j QUEUE > > > > iptables -A FORWARD -p tcp --dport 110 -m state --state NEW -j ACCE= PT > > > > > > > > Question: I can now handle selected traffic, but i'm having troubles > > > > with protocols witch use protocol handlers in iptables, like ftp. > > > > > > > > Answer: for this you need the 'helper' module. Say you want only ftp > > > > traffic to be handled by snort_inline, but not http. > > > > > > > > # the ESTABLISHED,RELATED for the helper ftp > > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m helper = =2D- > > > > helper "ftp" -j QUEUE > > > > # the ESTABLISHED,RELATED for ftp connection on port 21 > > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp -- > > > > dport 21 -j QUEUE > > > > # the ESTABLISHED,RELATED for the rest > > > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > > > > > iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j QUEUE > > > > iptables -A FORWARD -p tcp --dport 80 -m state --state NEW -j ACCEPT > > > > > > > > The difference here is helper module which makes sure that the > > > > connections that are handled by the ftp conntrack helper are also > > > > send to the queue. > > > > > > > > On Thursday 01 July 2004 21:14, Geffrey Velasquez [MINAG] wrote: > > > > > Hi Victor, and what is the difference with this?: > > > > > > > > > > 1. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -p tcp > > > > > --dport 25 -j QUEUE > > > > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j > > > > > ACCEPT 3. iptables -A FORWARD -p tcp --dport 25 -m state --state > > > > > NEW -j QUEUE 4. iptables -A FORWARD -p tcp --dport 110 -m state > > > > > --state NEW -j ACCEP > > > > > > > > > > > > > > > Saludos, > > > > > Geffrey Vel=E1squez > > > > > Cel.: 9722-2705 > > > > > > > > > > ---------- Original Message ----------- > > > > > From: Victor Julien <vi...@nk...> > > > > > To: sno...@li... > > > > > Sent: Thu, 1 Jul 2004 19:53:28 +0200 > > > > > Subject: [Snort-inline-users] using snort_inline for selected > > > > > traffic only (was: help with setting up iptables for use with > > > > > snort_inline) > > > > > > > > > > > Hi list, > > > > > > > > > > > > I found the answer to my question (with the kind help of Antony > > > > > > Stone of the Netfilter list). I'd like share it with you so > > > > > > others can use it as well. I've written it in the snort_inline > > > > > > faq format, so if you think it's usefull please include it in > > > > > > you're faq! > > > > > > > > > > > > Regards, > > > > > > Victor > > > > > > > > > > > > Question: I want to handle only selected traffic with > > > > > > snort_inline > > > > > > > > > > > > Answer: You can the MARK target in iptables for this. Say you > > > > > > want only stmp traffic to be handled by snort_inline, but not > > > > > > pop3. > > > > > > > > > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK > > > > > > --set- mark 0x1 > > > > > > > > > > > > 2. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m > > > > > > mark - -mark 0x1 -j QUEUE > > > > > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j > > > > > > ACCEPT > > > > > > > > > > > > 4. iptables -A FORWARD -p tcp --dport 25 -m state --state NEW -j > > > > > > QUEUE 5. iptables -A FORWARD -p tcp --dport 110 -m state --state > > > > > > NEW -j ACCEPT > > > > > > > > > > > > Pop3 traffic is now first accepted in rule 5, and after that > > > > > > handled by rule > > > > > > 3. > > > > > > > > > > > > The smtp traffic is now first QUEUE'd by rule 4, after that > > > > > > marked in rule 1 so it can be picked up by the 2nd rule. > > > > > > > > > > > > Question: I can now handle selected traffic, but i'm having > > > > > > troubles with protocols witch use protocol handlers in iptables, > > > > > > like ftp. > > > > > > > > > > > > Answer: for this you need the 'helper' module. Say you want only > > > > > > ftp traffic to be handled by snort_inline, but not http. > > > > > > > > > > > > 1. iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK > > > > > > --set- mark 0x1 > > > > > > 2. iptables -t mangle -A FORWARD -m helper --helper "ftp" -j > > > > > > MARK -- set-mark 0x1 > > > > > > > > > > > > 3. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -m > > > > > > mark - -mark 0x1 -j QUEUE > > > > > > 4. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j > > > > > > ACCEPT > > > > > > > > > > > > 5. iptables -A FORWARD -p tcp --dport 21 -m state --state NEW -j > > > > > > QUEUE 6. iptables -A FORWARD -p tcp --dport 80 -m state --state > > > > > > NEW -j ACCEPT > > > > > > > > > > > > The difference here is the second rule which makes sure that the > > > > > > connections that are handled by the ftp conntrack helper are al= so > > > > > > send to the queue. > > > > > > > > > > > > ------------------------------------------------------- > > > > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > > > > digital self defense, top technical experts, no vendor pitches, > > > > > > unmatched networking opportunities. Visit www.blackhat.com > > > > > > _______________________________________________ > > > > > > Snort-inline-users mailing list > > > > > > Sno...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > ------- End of Original Message ------- > > > > > > > > ------------------------------------------------------- > > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > > digital self defense, top technical experts, no vendor pitches, > > > > unmatched networking opportunities. Visit www.blackhat.com > > > > _______________________________________________ > > > > Snort-inline-users mailing list > > > > Sno...@li... > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > ------- End of Original Message ------- > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > digital self defense, top technical experts, no vendor pitches, > > > unmatched networking opportunities. Visit www.blackhat.com > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > ------- End of Original Message ------- |
