Menu
▾
▴
Re: [Snort-inline-users] Snort inline don't block
|
From: Alberto Z. <al...@in...> - 2007-07-20 05:45:23
|
Excuse me, but didn't reply to list... I'm using shorewall to configure iptabls and my policy file is=20 $FW net ACCEPT $FW dmz ACCEPT $FW lea ACCEPT $FW clu ACCEPT lea $FW ACCEPT clu $FW ACCEPT dmz $FW ACCEPT lea net ACCEPT lea dmz ACCEPT dmz net ACCEPT pin net ACCEPT pin dmz ACCEPT net all DROP info all all REJECT info and my rules file is: QUEUE net fw icmp QUEUE net fw tcp 179 QUEUE net fw udp 179 QUEUE net fw tcp 41 QUEUE net fw udp 41 QUEUE net fw tcp 80 QUEUE net dmz icmp QUEUE net dmz tcp 41 QUEUE net dmz udp 41 ACCEPT net dmz:87.238.232.7 tcp 22 QUEUE net dmz:87.238.232.7 tcp 80 You can try to launch nmap -v 87.238.232.7, this is the output: Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-20 07:41 CEST Machine 87.238.232.7 MIGHT actually be listening on probe port 80 Initiating Parallel DNS resolution of 1 host. at 07:41 Completed Parallel DNS resolution of 1 host. at 07:41, 0.03s elapsed Initiating Connect() Scan at 07:41 Scanning napoli.leaproject.it (87.238.232.7) [1697 ports] Discovered open port 22/tcp on 87.238.232.7 Discovered open port 80/tcp on 87.238.232.7 Connect() Scan Timing: About 32.51% done; ETC: 07:43 (0:01:02 remaining) Completed Connect() Scan at 07:43, 89.75s elapsed (1697 total ports) Host napoli.leaproject.it (87.238.232.7) appears to be up ... good. Interesting ports on napoli.leaproject.it (87.238.232.7): Not shown: 1693 filtered ports PORT STATE SERVICE 22/tcp open ssh 41/tcp closed graphics 80/tcp open http 113/tcp closed auth Nmap finished: 1 IP address (1 host up) scanned in 91.956 seconds And in snort_inline-fast log: 07/20-07:41:26.446420 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 62.123.168.250:42081 -> 87.238.232.7:80 07/20-07:42:12.812348 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 62.123.168.250:39906 -> 87.238.232.7:41 My iptables -L: Chain INPUT (policy DROP) target prot opt source destination =20 ACCEPT all -- anywhere anywhere =20 eth0_in all -- anywhere anywhere =20 eth1_in all -- anywhere anywhere =20 eth2_in all -- anywhere anywhere =20 eth3_in all -- anywhere anywhere =20 eth4_in all -- anywhere anywhere =20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'=20 reject all -- anywhere anywhere =20 Chain FORWARD (policy DROP) target prot opt source destination =20 eth0_fwd all -- anywhere anywhere =20 eth1_fwd all -- anywhere anywhere =20 eth2_fwd all -- anywhere anywhere =20 eth3_fwd all -- anywhere anywhere =20 eth4_fwd all -- anywhere anywhere =20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'=20 reject all -- anywhere anywhere =20 Chain OUTPUT (policy DROP) target prot opt source destination =20 ACCEPT all -- anywhere anywhere =20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 fw2clu all -- anywhere anywhere =20 fw2net all -- anywhere anywhere =20 fw2dmz all -- anywhere anywhere =20 fw2lea all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'=20 reject all -- anywhere anywhere =20 Chain Drop (1 references) target prot opt source destination =20 reject tcp -- anywhere anywhere tcp dpt:auth=20 dropBcast all -- anywhere anywhere =20 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed=20 ACCEPT icmp -- anywhere anywhere icmp time-exceeded=20 dropInvalid all -- anywhere anywhere =20 DROP udp -- anywhere anywhere udp dpt:epmap=20 DROP udp -- anywhere anywhere udp dpt:microsoft-ds=20 DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn=20 DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535=20 DROP tcp -- anywhere anywhere tcp dpt:epmap=20 DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn=20 DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds=20 DROP udp -- anywhere anywhere udp dpt:1900=20 dropNotSyn tcp -- anywhere anywhere =20 DROP udp -- anywhere anywhere udp spt:domain=20 Chain Reject (4 references) target prot opt source destination =20 reject tcp -- anywhere anywhere tcp dpt:auth=20 dropBcast all -- anywhere anywhere =20 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed=20 ACCEPT icmp -- anywhere anywhere icmp time-exceeded=20 dropInvalid all -- anywhere anywhere =20 reject udp -- anywhere anywhere udp dpt:epmap=20 reject udp -- anywhere anywhere udp dpt:microsoft-ds=20 reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn=20 reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535=20 reject tcp -- anywhere anywhere tcp dpt:epmap=20 reject tcp -- anywhere anywhere tcp dpt:netbios-ssn=20 reject tcp -- anywhere anywhere tcp dpt:microsoft-ds=20 DROP udp -- anywhere anywhere udp dpt:1900=20 dropNotSyn tcp -- anywhere anywhere =20 DROP udp -- anywhere anywhere udp spt:domain=20 Chain all2all (13 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'=20 reject all -- anywhere anywhere =20 Chain clu2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain dmz2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain dmz2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain dropBcast (2 references) target prot opt source destination =20 DROP all -- anywhere anywhere PKTTYPE =3D broadcast=20 DROP all -- anywhere anywhere PKTTYPE =3D multicast=20 Chain dropInvalid (2 references) target prot opt source destination =20 DROP all -- anywhere anywhere state INVALID=20 Chain dropNotSyn (2 references) target prot opt source destination =20 DROP tcp -- anywhere anywhere tcp flags:! FIN,SYN,RST,ACK/SYN=20 Chain dynamic (10 references) target prot opt source destination =20 Chain eth0_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth0_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 clu2fw all -- anywhere anywhere =20 Chain eth1_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 net2all all -- anywhere anywhere =20 net2dmz all -- anywhere anywhere =20 net2all all -- anywhere anywhere =20 net2all all -- anywhere anywhere =20 Chain eth1_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 net2fw all -- anywhere anywhere =20 Chain eth2_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 dmz2net all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth2_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 dmz2fw all -- anywhere anywhere =20 Chain eth3_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 lea2net all -- anywhere anywhere =20 lea2dmz all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth3_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 lea2fw all -- anywhere anywhere =20 Chain eth4_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 pin2net all -- anywhere anywhere =20 pin2dmz all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth4_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 all2all all -- anywhere anywhere =20 Chain fw2clu (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain fw2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain fw2lea (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain fw2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain lea2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain lea2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain lea2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain logdrop (0 references) target prot opt source destination =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logdrop:DROP:'=20 DROP all -- anywhere anywhere =20 Chain logreject (0 references) target prot opt source destination =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logreject:REJECT:'=20 reject all -- anywhere anywhere =20 Chain net2all (5 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 Drop all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'=20 DROP all -- anywhere anywhere =20 Chain net2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 QUEUE icmp -- anywhere anywhere =20 QUEUE tcp -- anywhere anywhere tcp dpt:graphics=20 QUEUE udp -- anywhere anywhere udp dpt:graphics=20 ACCEPT tcp -- anywhere napoli.leaproject.it tcp dpt:ssh=20 QUEUE tcp -- anywhere napoli.leaproject.it tcp dpt:http=20 net2all all -- anywhere anywhere =20 Chain net2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 QUEUE icmp -- anywhere anywhere =20 QUEUE tcp -- anywhere anywhere tcp dpt:bgp=20 QUEUE udp -- anywhere anywhere udp dpt:bgp=20 QUEUE tcp -- anywhere anywhere tcp dpt:graphics=20 QUEUE udp -- anywhere anywhere udp dpt:graphics=20 QUEUE tcp -- anywhere anywhere tcp dpt:http=20 net2all all -- anywhere anywhere =20 Chain pin2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain pin2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain reject (14 references) target prot opt source destination =20 DROP all -- 255.255.255.255 anywhere =20 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere =20 DROP all -- anywhere anywhere PKTTYPE =3D broadcast=20 DROP all -- anywhere anywhere PKTTYPE =3D multicast=20 DROP all -- 255.255.255.255 anywhere =20 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere =20 REJECT tcp -- anywhere anywhere reject-with tcp-reset=20 REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable=20 REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable=20 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited=20 Chain shorewall (0 references) target prot opt source destination =20 Chain smurfs (0 references) target prot opt source destination =20 LOG all -- 172.20.10.3 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 172.20.10.3 anywhere =20 LOG all -- 87.238.232.239 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.239 anywhere =20 LOG all -- 87.238.232.127 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.127 anywhere =20 LOG all -- 87.238.232.139 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.139 anywhere =20 LOG all -- 87.238.232.143 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.143 anywhere =20 LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 255.255.255.255 anywhere =20 LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere =20 Thanks, Alberto Il giorno gio, 19/07/2007 alle 18.32 -0500, Will Metcalf ha scritto: > what do your iptables rules look like? >=20 > Regards, >=20 > Will >=20 > On 7/19/07, Alberto Zuin <al...@in... > wrote: > I'm a newbie but I didn't found any help in previous messages. > I just compiled snort_inline 2.6.1.5 on a gentoo linux server > using the > howto at http://linuxgazette.net/117/savage.html, I downloaded > the rules=20 > via oinkmaster and I subtituted all "alert" with "drop", but > snort don't > drop any packet, only alert. > The strange thing is the rules application order where the > pass rule is > just before the drop rule like a startup with -o flag.=20 > The server use hardened sources and selinux. > Can you help me please? > Thanks, > Alberto > =20 |
