Re: [Snort-inline-users] IPS not bridging traffic + other questions

[Will M. <wil...@gm...>]

I develop snort_inline on debian linux, If I remember correctly there
is a problem with the QUEUE target in RH 7.3 that was fixed with an
iptables p-o-m.  As far as a simple bridging script you might be able
to use something like this.

case "$1" in
  start)
        echo -n "starting bridge"
        #BRIDGE SETUP
        echo setting up bridge
        /usr/local/sbin/brctl addbr br0
        /usr/local/sbin/brctl addif br0 eth0
        /usr/local/sbin/brctl addif br0 eth1
        /usr/local/sbin/brctl stp br0 off
        /sbin/ifconfig -a br0 192.168.1.10 netmask 255.255.255.0
broadcast 192.168.1.255
        /sbin/route add default gw 192.168.1.1
        #stealth bridge uncomment line below
        #ifconfig br0 0.0.0.0
        ifconfig br0 up
        sleep 10
         #SETUP IPTABLES RULES
         /usr/local/sbin/iptables -F FORWARD
         /usr/local/sbin/iptables -P FORWARD DROP  
         /usr/local/sbin/iptables -A FORWARD -j QUEUE       
        sleep 3
        echo
        ;;
   stop)
        echo -n "Stopping IPS STUFF: ("
        /usr/local/sbin/brctl delif br0 eth0
        /usr/local/sbin/brctl delif br0 eth1
        /sbin/ifconfig br0 down
        /usr/local/sbin/brctl delbr br0
        /usr/local/sbin/iptables -F FORWARD
        /usr/local/sbin/iptables -P FORWARD ACCEPT
         echo
        ;;
restart)
        $0 stop
        $0 start
        ;;
 status)
        status bridge
        ;;
   *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac

exit 0



On Mon, 13 Sep 2004 11:16:56 -0500, Eric Hines
<eri...@ap...> wrote:
> List:
> 
> I have several questions regarding Snort-Inline and hope someone may be
> able to answer a few, if not all:
> 
> 1) Does anyone know of any newer operating system distros that have the
> ebtables/bridging firewall patch implemented into the default kernel
> other than Redhat 7.3 (e.g. Fedora or other Linux distros) that would
> not require additional patching of the kernel.
> 
> 2) We are troubleshooting connectivity issues with a Redhat 7.3
> installation of the latest 2.1.3 Snort-Inline release. Can anyone
> provide a list of troubleshooting steps they take when connectivity
> becomes an issue? I'm using the RC.FIREWALL script provided on
> honeynet.org. If anyone can look at the below and let me know if they
> see anything I've missed, that would be great!:
> 
>   a) Ive made sure ipqueue is loaded with lsmod
>   b) Ive made sure the rc.firewall script started with no errors
>   c) Ive made sure snort_inline was running with -Q
>   d) Ive made sure the 2 interfaces have been bridged and the right
>      cat5 cables are plugged in to the appropriate NIC.
>   e) Ive modified the rc.firewall script to make everything that has
>      DROP set, set to ALLOW.
> 
> 3) In both customer and internal deployments of Snort-Inline, we
> continue to use the rc.firewall script from Honeynet even though all
> deployments have not been for honeynets, rather, just a perimeter IPS.
> The rc.firewall script is geared towards honeynet deployments. Does
> anyone know of a different rc script that has been made for non-honeynet
> deployments that is geared more towards just setting up a bridged
> snort-inline box that does not do any firewalling and simply passes the
> traffic straight through the IPS -- none of the fancy ipfilter rules,
> just ALLOW all rules. For the interim, an ugly hack we've done is to
> simply do a search/replace on the DROP keyword in the rc.firewall script
> to ALLOW. Im sure there has got to be someone on this list that has done
> an Enterprise deployment of Snort-Inline and relied on their already
> deployed firewalls to handle firewalling and wanted the snort-inline
> bridge to simply pass all traffic in/out.
> 
> Someone please advise on any one of these item #s.
> 
> --
> Best Regards,
> 
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, Inc.
> 1134 N. Main St.
> Algonquin, IL 60102
> Direct: (877) 262-7593 x327
> http://www.appliedwatch.com
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>