Menu
▾
▴
[Snort-inline-users] Snort inline don't block
|
From: Alberto Z. <al...@in...> - 2007-07-19 21:09:34
|
I'm a newbie but I didn't found any help in previous messages. I just compiled snort_inline 2.6.1.5 on a gentoo linux server using the howto at http://linuxgazette.net/117/savage.html, I downloaded the rules via oinkmaster and I subtituted all "alert" with "drop", but snort don't drop any packet, only alert. The strange thing is the rules application order where the pass rule is just before the drop rule like a startup with -o flag. The server use hardened sources and selinux. Can you help me please? Thanks, Alberto linux # /usr/local/bin/snort_inline -Qv -c /etc/snort_inline/snort_inline.conf Reading from iptables Running in IDS mode Initializing Inline mode=20 --=3D=3D Initializing Snort =3D=3D-- Initializing Output Plugins! Var 'eth1_ADDRESS' defined, value len =3D 30 chars, value =3D 87.238.232.224/255.255.255.240 Var 'eth2_ADDRESS' defined, value len =3D 28 chars, value =3D 87.238.232.0/255.255.255.128 Var 'eth3_ADDRESS' defined, value len =3D 30 chars, value =3D 87.238.232.136/255.255.255.252 Var 'eth4_ADDRESS' defined, value len =3D 30 chars, value =3D 87.238.232.140/255.255.255.252 Var 'any_ADDRESS' defined, value len =3D 15 chars, value =3D 0.0.0.0/0.0.0.= 0 Var 'lo_ADDRESS' defined, value len =3D 19 chars, value =3D 127.0.0.0/255.0.0.0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_inline/snort_inline.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Var 'HOME_NET' defined, value len =3D 3 chars, value =3D any Var 'HONEYNET' defined, value len =3D 3 chars, value =3D any Var 'EXTERNAL_NET' defined, value len =3D 3 chars, value =3D any Var 'SMTP_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'TELNET_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'HTTP_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'SQL_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'DNS_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'HTTP_PORTS' defined, value len =3D 2 chars, value =3D 80 Var 'SHELLCODE_PORTS' defined, value len =3D 3 chars, value =3D !80 Var 'ORACLE_PORTS' defined, value len =3D 4 chars, value =3D 1521 Var 'SSH_PORTS' defined, value len =3D 2 chars, value =3D 22 Var 'AIM_SERVERS' defined, value len =3D 185 chars [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,2= 05.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] Var 'RULE_PATH' defined, value len =3D 28 chars, value =3D /etc/snort_inline/drop-rules ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- stream4inline mode enabled truncating mode enabled Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 3600 seconds Session memory cap: 134217728 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: ACTIVE and DROPPING Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE Server Data Inspection Limit: -1 Inline-mode options: Inline-mode enabled? (stream4inline): Yes Scan mode? (scan_stream_only): Both packet and stream Sliding Windowsize (window_size): 3000 Memcap reached method (truncate): Truncate Truncate percentage (truncate_percentage): 33 Store/Load state from/to disk: No Max out-of-order packets in a stream (max_ooo_pkts): 5 Max out-of-order bytes in a stream (max_ooo_bytes): 5000 Max sequence holes in a stream (max_seq_holes): 2 Normalize wscale max (norm_wscale_max): 2 Perform window scale normaliztion: Yes Disable out-of-order packet drop: No Disable out-of-order packet drop: No Disable sequence hole packet drop: No Max sequence holes in a stream (max_seq_holes): 2 Disable wscale normalization alerts (disable_norm_wscale_alerts): No Disable out-of-order alerts (disable_ooo_alerts): No Drop bad RST packets? (drop_bad_rst): No Disable evasive retransmission packet drop: No Disable out-of-window packet drop: No Disable all protocol violation drops: No WARNING /etc/snort_inline/snort_inline.conf(368) =3D> flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor New Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306=20 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306=20 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_inline/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180=20 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d=20 rpc_decode arguments: Ports to decode RPC on: 111 32771=20 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 6152 Snort rules read... 6152 Option Chains linked into 185 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Tagged Packet Limit: 256 InitInline stage 2: InitInlinePostConfig starting... +-----------------------[thresholding-config]------------------------------= ---- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]------------------------------= ---- | none +-----------------------[thresholding-local]-------------------------------= ---- | gen-id=3D1 sig-id=3D2275 type=3DThreshold tracking=3Ddst count= =3D5 seconds=3D60=20 | gen-id=3D1 sig-id=3D5321 type=3DLimit tracking=3Dsrc count= =3D1 seconds=3D60=20 | gen-id=3D1 sig-id=3D3273 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D3527 type=3DLimit tracking=3Ddst count= =3D5 seconds=3D60=20 | gen-id=3D1 sig-id=3D4984 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D2923 type=3DThreshold tracking=3Ddst count= =3D10 seconds=3D60=20 | gen-id=3D1 sig-id=3D3152 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D2523 type=3DBoth tracking=3Ddst count= =3D10 seconds=3D10=20 | gen-id=3D1 sig-id=3D5323 type=3DLimit tracking=3Dsrc count= =3D1 seconds=3D60=20 | gen-id=3D1 sig-id=3D5322 type=3DLimit tracking=3Dsrc count= =3D1 seconds=3D60=20 | gen-id=3D1 sig-id=3D3543 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D2924 type=3DThreshold tracking=3Ddst count= =3D10 seconds=3D60=20 | gen-id=3D1 sig-id=3D3542 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 +-----------------------[suppression]--------------------------------------= ---- | none ---------------------------------------------------------------------------= ---- Rule application order: ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->re= jectdst->alert->log Log directory =3D /var/log/snort Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... d= one Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so..= . done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.s= o... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... d= one Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... = done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23=20 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21=20 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25=20 Inspection Type: STATEFUL Normalize Spaces: YES Ignore Data: NO Ignore TLS Data: NO Ignore Alerts: NO Max Command Length: 0 Max Header Line Length: 0 Max Response Line Length: 0 X-Link2State Alert: YES Drop on X-Link2State Alert: NO DCE/RPC Decoder config: Autodetect ports ENABLED SMB fragmentation ENABLED DCE/RPC fragmentation ENABLED Max Frag Size: 3000 bytes Memcap: 100000 KB Alert if memcap exceeded DISABLED DNS config:=20 DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 Verifying Preprocessor Configurations! Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. 50 out of 512 flowbits in use. Setting the Packet Processor to decode packets from iptables database: compiled support for ( postgresql ) database: configured to use postgresql database: user =3D snort database: password is set database: database name =3D snort_log database: host =3D localhost Node unique name is: unknown:NULL database: sensor name =3D unknown:NULL database: sensor id =3D 2 database: schema version =3D 107 database: using the "log" facility +--[Pattern Matcher:Aho-Corasick Summary]---------------------- | Alphabet Size : 256 Chars | Sizeof State : 2 bytes | Storage Format : Full=20 | Num States : 103504 | Num Transitions : 4125009 | State Density : 15.6% | Finite Automatum : DFA | Memory : 163.78Mbytes +------------------------------------------------------------- --=3D=3D Initialization Complete =3D=3D-- ,,_ -*> Snort_Inline! <*- o" )~ Version 2.6.1.5 (Build 59) inline=20 '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html Snort_Inline Mod by William Metcalf, Victor Julien, Nick Rogness, Dave Remien, Rob McMillen and Jed Haile (C) Copyright 1998-2007 Sourcefire Inc., et al. Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11> Preprocessor Object: SF_SMTP Version 1.0 <Build 7> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10> Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> Preprocessor Object: SF_DNS Version 1.0 <Build 2> Not Using PCAP_FRAMES |
