Menu
▾
▴
Re: [Snort-inline-users] snort-inline 2.2.0a issue after upgrading from 2.1.1
|
From: James A. P. <ja...@pc...> - 2004-12-03 00:07:52
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 William Metcalf wrote: | Disable stream4 and stream4_reassemble and try again. We currently don't | drop on alerts generated from the http_inspect preproc so if you add the | no_alerts line you should be fine. I finally got around to testing this onsite and it works now! Thanks. Now to get a better grasp on the variables so that False Positive rule hits get eliminated. :) | | Regards, | | Will | Inactive hide details for "James A. Pattie" | <ja...@pc...>"James A. Pattie" <ja...@pc...> | | | *"James A. Pattie" <ja...@pc...>* | Sent by: | sno...@li... | | 11/18/2004 05:56 PM | | | | To | Web Bug from | imap://ja...@ma...:993/fetch%3EUID%3E/INBOX/mail/snort-inline-users%3E641?header=quotebody&part=1.4&filename=ecblank.gif | sno...@li... | | cc | Web Bug from | imap://ja...@ma...:993/fetch%3EUID%3E/INBOX/mail/snort-inline-users%3E641?header=quotebody&part=1.4&filename=ecblank.gif | | Subject | Web Bug from | imap://ja...@ma...:993/fetch%3EUID%3E/INBOX/mail/snort-inline-users%3E641?header=quotebody&part=1.4&filename=ecblank.gif | Re: [Snort-inline-users] snort-inline 2.2.0a issue after upgrading from | 2.1.1 | | Web Bug from | imap://ja...@ma...:993/fetch%3EUID%3E/INBOX/mail/snort-inline-users%3E641?header=quotebody&part=1.4&filename=ecblank.gif | Web Bug from | imap://ja...@ma...:993/fetch%3EUID%3E/INBOX/mail/snort-inline-users%3E641?header=quotebody&part=1.4&filename=ecblank.gif | | | William Metcalf wrote: | | Try using the state tracking mechanisms we built into 2.2.0a. We | | accomplished by using marks in iptables and arguments to stream4. | | Something like: | | | | /usr/local/sbin/iptables -t mangle -A FORWARD -p tcp --syn -m state | | --state NEW -j MARK --set-mark 1 | | /usr/local/sbin/iptables -t mangle -A FORWARD -p tcp -m state --state | | ESTABLISHED -j MARK --set-mark 2 | | /usr/local/sbin/iptables -I FORWARD -m mark --mark 1 -j QUEUE | | /usr/local/sbin/iptables -I FORWARD -m mark --mark 2 -j QUEUE | | /usr/local/sbin/iptables -I FORWARD -p udp -j QUEUE | | /usr/local/sbin/iptables -I FORWARD -p icmp -j QUEUE | | | | And then modify the stream4 line to read: | | | | preprocessor stream4: disable_evasion_alerts, iptablesnewmark, | | iptablesestmark, forceiptstate | | preprocessor stream4_reassemble: both | | I was hoping to not have to use the new iptables stuff since I'm | currently using | my PCXFirewall code (http://pcxfirewall.sf.net/) and my firewall frontend | doesn't support specifying custom marks yet. | | Shouldn't the old way still work fine? If so, was the old stream4, | stream4_reassemble preprocessor entries correct for 2.2.0a? | | | | | In addition I don't see anything in your conf regarding http_inspect, if | | you are going to be matching rules that have uricontent in them you are | | going to need the following. | | | | preprocessor http_inspect: global \ | | iis_unicode_map unicode.map 1252 | | | | preprocessor http_inspect_server: server default \ | | profile all ports { 80 8080 8180 } oversize_dir_length 500 \ | | no_alerts | | I had added that in from the newer config file and after updating to the 2.2 | series rules I started seeing a bunch of http drops in regards to unknown | protocol and DOUBLE ENCODE (or something similiar - from memory) hits, | which I | had not seen using the 2.1.1 codebase. - -- James A. Pattie ja...@pc... Linux -- SysAdmin / Programmer Xperience, Inc. http://www.pcxperience.com/ http://www.xperienceinc.com/ http://www.pcxperience.org/ GPG Key Available at http://www.pcxperience.com/gpgkeys/james.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBr64ftUXjwPIRLVERAgv5AJ4xM4hh162k/tVFQnwsVr8sMBq6WgCguxnv hEJuRgiLVIk7wEWf7WU+FAA= =LXlh -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. |
