Menu
▾
▴
Re: [Snort-inline-users] Snort inline don't block
|
From: Will M. <wil...@gm...> - 2007-07-19 23:32:31
|
what do your iptables rules look like? Regards, Will On 7/19/07, Alberto Zuin <al...@in...> wrote: > > I'm a newbie but I didn't found any help in previous messages. > I just compiled snort_inline 2.6.1.5 on a gentoo linux server using the > howto at http://linuxgazette.net/117/savage.html, I downloaded the rules > via oinkmaster and I subtituted all "alert" with "drop", but snort don't > drop any packet, only alert. > The strange thing is the rules application order where the pass rule is > just before the drop rule like a startup with -o flag. > The server use hardened sources and selinux. > Can you help me please? > Thanks, > Alberto > > > linux # /usr/local/bin/snort_inline -Qv > -c /etc/snort_inline/snort_inline.conf > Reading from iptables > Running in IDS mode > Initializing Inline mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > Var 'eth1_ADDRESS' defined, value len = 30 chars, value = > 87.238.232.224/255.255.255.240 > Var 'eth2_ADDRESS' defined, value len = 28 chars, value = > 87.238.232.0/255.255.255.128 > Var 'eth3_ADDRESS' defined, value len = 30 chars, value = > 87.238.232.136/255.255.255.252 > Var 'eth4_ADDRESS' defined, value len = 30 chars, value = > 87.238.232.140/255.255.255.252 > Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 > Var 'lo_ADDRESS' defined, value len = 19 chars, value = > 127.0.0.0/255.0.0.0 > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file /etc/snort_inline/snort_inline.conf > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > Var 'HOME_NET' defined, value len = 3 chars, value = any > Var 'HONEYNET' defined, value len = 3 chars, value = any > Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any > Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any > Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any > Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any > Var 'SQL_SERVERS' defined, value len = 3 chars, value = any > Var 'DNS_SERVERS' defined, value len = 3 chars, value = any > Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 > Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 > Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 > Var 'SSH_PORTS' defined, value len = 2 chars, value = 22 > Var 'AIM_SERVERS' defined, value len = 185 chars > > [ > 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 > .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] > Var 'RULE_PATH' defined, value len = 28 chars, value > = /etc/snort_inline/drop-rules > ,-----------[Flow Config]---------------------- > | Stats Interval: 0 > | Hash Method: 2 > | Memcap: 10485760 > | Rows : 4099 > | Overhead Bytes: 16400(%0.16) > `---------------------------------------------- > stream4inline mode enabled > truncating mode enabled > Stream4 config: > Stateful inspection: ACTIVE > Session statistics: INACTIVE > Session timeout: 3600 seconds > Session memory cap: 134217728 bytes > Session count max: 8192 sessions > Session cleanup count: 5 > State alerts: INACTIVE > Evasion alerts: INACTIVE > Scan alerts: INACTIVE > Log Flushed Streams: INACTIVE > MinTTL: 1 > TTL Limit: 5 > Async Link: 0 > State Protection: 0 > Self preservation threshold: 50 > Self preservation period: 90 > Suspend threshold: 200 > Suspend period: 30 > Enforce TCP State: ACTIVE and DROPPING > Midstream Drop Alerts: INACTIVE > Allow Blocking of TCP Sessions in Inline: ACTIVE > Server Data Inspection Limit: -1 > Inline-mode options: > Inline-mode enabled? (stream4inline): Yes > Scan mode? (scan_stream_only): Both packet and stream > Sliding Windowsize (window_size): 3000 > Memcap reached method (truncate): Truncate > Truncate percentage (truncate_percentage): 33 > Store/Load state from/to disk: No > Max out-of-order packets in a stream (max_ooo_pkts): 5 > Max out-of-order bytes in a stream (max_ooo_bytes): 5000 > Max sequence holes in a stream (max_seq_holes): 2 > Normalize wscale max (norm_wscale_max): 2 > Perform window scale normaliztion: Yes > Disable out-of-order packet drop: No > Disable out-of-order packet drop: No > Disable sequence hole packet drop: No > Max sequence holes in a stream (max_seq_holes): 2 > Disable wscale normalization alerts > (disable_norm_wscale_alerts): No > Disable out-of-order alerts (disable_ooo_alerts): No > Drop bad RST packets? (drop_bad_rst): No > Disable evasive retransmission packet drop: No > Disable out-of-window packet drop: No > Disable all protocol violation drops: No > WARNING /etc/snort_inline/snort_inline.conf(368) => flush_behavior set > in config file, using old static flushpoints (0) > Stream4_reassemble config: > Server reassembly: ACTIVE > Client reassembly: ACTIVE > Reassembler alerts: ACTIVE > Zero out flushed packets: INACTIVE > Flush stream on alert: INACTIVE > flush_data_diff_size: 500 > Reassembler Packet Preferance : Favor New > Packet Sequence Overlap Limit: -1 > Flush behavior: Small (<255 bytes) > Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 > 1521 3306 > Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 > 513 1433 1521 3306 > HttpInspect Config: > GLOBAL CONFIG > Max Pipeline Requests: 0 > Inspection Type: STATELESS > Detect Proxy Usage: NO > IIS Unicode Map Filename: /etc/snort_inline/unicode.map > IIS Unicode Map Codepage: 1252 > DEFAULT SERVER CONFIG: > Server profile: All > Ports: 80 8080 8180 > Flow Depth: 300 > Max Chunk Length: 500000 > Inspect Pipeline Requests: YES > URI Discovery Strict Mode: NO > Allow Proxy Usage: NO > Disable Alerting: NO > Oversize Dir Length: 500 > Only inspect URI: NO > Ascii: YES alert: NO > Double Decoding: YES alert: YES > %U Encoding: YES alert: YES > Bare Byte: YES alert: YES > Base36: OFF > UTF 8: OFF > IIS Unicode: YES alert: YES > Multiple Slash: YES alert: NO > IIS Backslash: YES alert: NO > Directory Traversal: YES alert: NO > Web Root Traversal: YES alert: YES > Apache WhiteSpace: YES alert: NO > IIS Delimiter: YES alert: NO > IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG > Non-RFC Compliant Characters: NONE > Whitespace Characters: 0x09 0x0b 0x0c 0x0d > rpc_decode arguments: > Ports to decode RPC on: 111 32771 > alert_fragments: INACTIVE > alert_large_fragments: ACTIVE > alert_incomplete: ACTIVE > alert_multiple_requests: ACTIVE > Portscan Detection Config: > Detect Protocols: TCP UDP ICMP IP > Detect Scan Type: portscan portsweep decoy_portscan > distributed_portscan > Sensitivity Level: Low > Memcap (in bytes): 10000000 > Number of Nodes: 36900 > > 6152 Snort rules read... > 6152 Option Chains linked into 185 Chain Headers > 0 Dynamic rules > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > Tagged Packet Limit: 256 > InitInline stage 2: InitInlinePostConfig starting... > > > +-----------------------[thresholding-config]---------------------------------- > | memory-cap : 1048576 bytes > > +-----------------------[thresholding-global]---------------------------------- > | none > > +-----------------------[thresholding-local]----------------------------------- > | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 > seconds=60 > | gen-id=1 sig-id=5321 type=Limit tracking=src count=1 > seconds=60 > | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 > seconds=60 > | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 > seconds=60 > | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 > seconds=10 > | gen-id=1 sig-id=5323 type=Limit tracking=src count=1 > seconds=60 > | gen-id=1 sig-id=5322 type=Limit tracking=src count=1 > seconds=60 > | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 > seconds=60 > | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 > seconds=2 > > +-----------------------[suppression]------------------------------------------ > | none > > ------------------------------------------------------------------------------- > Rule application order: > > ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log > Log directory = /var/log/snort > Loading dynamic > engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done > Loading all dynamic preprocessor libs > from /usr/local/lib/snort_dynamicpreprocessor/... > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... > done > Loading dynamic preprocessor > library > /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > Loading dynamic preprocessor > library > /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... > done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... > done > Finished Loading all dynamic preprocessor libs > from /usr/local/lib/snort_dynamicpreprocessor/ > FTPTelnet Config: > GLOBAL CONFIG > Inspection Type: stateful > Check for Encrypted Traffic: YES alert: YES > Continue to check encrypted data: NO > TELNET CONFIG: > Ports: 23 > Are You There Threshold: 200 > Normalize: YES > Detect Anomalies: NO > FTP CONFIG: > FTP Server: default > Ports: 21 > Check for Telnet Cmds: YES alert: YES > Identify open data channels: YES > FTP Client: default > Check for Bounce Attacks: YES alert: YES > Check for Telnet Cmds: YES alert: YES > Max Response Length: 256 > SMTP Config: > Ports: 25 > Inspection Type: STATEFUL > Normalize Spaces: YES > Ignore Data: NO > Ignore TLS Data: NO > Ignore Alerts: NO > Max Command Length: 0 > Max Header Line Length: 0 > Max Response Line Length: 0 > X-Link2State Alert: YES > Drop on X-Link2State Alert: NO > > DCE/RPC Decoder config: > Autodetect ports ENABLED > SMB fragmentation ENABLED > DCE/RPC fragmentation ENABLED > Max Frag Size: 3000 bytes > Memcap: 100000 KB > Alert if memcap exceeded DISABLED > > DNS config: > DNS Client rdata txt Overflow Alert: ACTIVE > Obsolete DNS RR Types Alert: INACTIVE > Experimental DNS RR Types Alert: INACTIVE > Ports: 53 > Verifying Preprocessor Configurations! > Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. > Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. > Warning: flowbits key 'realplayer.playlist' is checked but not ever set. > 50 out of 512 flowbits in use. > Setting the Packet Processor to decode packets from iptables > database: compiled support for ( postgresql ) > database: configured to use postgresql > database: user = snort > database: password is set > database: database name = snort_log > database: host = localhost > Node unique name is: unknown:NULL > > database: sensor name = unknown:NULL > database: sensor id = 2 > database: schema version = 107 > database: using the "log" facility > +--[Pattern Matcher:Aho-Corasick Summary]---------------------- > | Alphabet Size : 256 Chars > | Sizeof State : 2 bytes > | Storage Format : Full > | Num States : 103504 > | Num Transitions : 4125009 > | State Density : 15.6% > | Finite Automatum : DFA > | Memory : 163.78Mbytes > +------------------------------------------------------------- > > --== Initialization Complete ==-- > > ,,_ -*> Snort_Inline! <*- > o" )~ Version 2.6.1.5 (Build 59) inline > '''' By Martin Roesch & The Snort Team: > http://www.snort.org/team.html > Snort_Inline Mod by William Metcalf, Victor Julien, Nick > Rogness, > Dave Remien, Rob McMillen and Jed Haile > (C) Copyright 1998-2007 Sourcefire Inc., et al. > > Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build > 11> > Preprocessor Object: SF_SMTP Version 1.0 <Build 7> > Preprocessor Object: SF_SSH Version 1.0 <Build 1> > Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10> > Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> > Preprocessor Object: SF_DNS Version 1.0 <Build 2> > Not Using PCAP_FRAMES > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
