Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: James G <har...@ho...> - 2006-10-01 09:45:38
|
<html><div style='background-color:'><DIV class=RTE> <P> <TABLE cellSpacing=8 cellPadding=0 width="100%" align=center border=0 nowrap> <TBODY> <TR> <TD> <DIV> <DIV> <DIV class=RTE>Hi all,</DIV> <DIV class=RTE> </DIV> <DIV class=RTE>My question is : Can Snort_inline Drop a fragmented attaque that has been reassembled by Frag3? Or does it only génerate an alert on it? </DIV> <DIV class=RTE> </DIV> <DIV class=RTE>I mean, does Frag 3 forward the fragments before therest of the systeme analyses the reassembled paquet??</DIV> <DIV class=RTE> </DIV> <DIV class=RTE>Regards,</DIV></DIV></DIV></TD></TR></TBODY></TABLE><BR><BR></P></DIV> <DIV></DIV></div><br clear=all><hr>MSN Hotmail sur i-mode <a href="http://g.msn.com/8HMBFR/2740??PS=47575" target="_top">: envoyez et recevez des e-mails depuis votre téléphone portable !</a> </html> |
|
From: Federico P. <pe...@ac...> - 2006-09-20 16:44:05
|
Hi Will, now that you mention it... is there a list of differences between snort-inline and snort --enable-inline? Regards, Will Metcalf wrote: > Yeah If I ever get any freaking time, if you don't need the extra stuff > we have in inline you could alway's download snort-2.6.0.2 and > ./configure --enable-inline. > > Regards, > > Will > > On 9/19/06, *Federico Petronio* <pe...@ac... > <mailto:pe...@ac...>> wrote: > > Thank you very much to all how answered. I'll try first the > > config checksum_mode: none > > solution. Do you plan to make available new binaries with this issue > corrected? > > Regards, > > Adam Keeton wrote: > > It almost definitely has to do with optimizations. GCC 4.x.x > comes with > > numerous changes to its optimizations, one of which involves aliasing. > > Our makefiles compile Snort with optimization level 2, and -O2 > makes the > > assumption that the code adheres to strict aliasing rules. We > recently > > discovered this breaks some checksums. Older GCCs are fine. > > > > If you check out the latest code from our CVS, the new configure > script > > adds the necessary compiler flag to fix the issue when necessary. > > Alternatively, you should be able to do: "CFLAGS=-fno-strict-aliasing > > ./configure && make clean && make" > > > > Thanks, > > Adam > > > > Will Metcalf wrote: > > > >> something is screwed with the checksum calculations for large ICMP > >> packets, think it has to do with compiler optimizations. set > >> > >> config checksum_mode: none > >> > >> in your snort_inline.conf, should fix your problem..... > >> > >> Regards, > >> > >> Will > >> > >> On 9/18/06, *Federico Petronio* < pe...@ac... > <mailto:pe...@ac...> > >> <mailto:pe...@ac... <mailto:pe...@ac...>>> wrote: > >> > >> Actually we use theses rules because we need not only ICMP > but all > >> IP to > >> pass for some IP addresses. Do you think that that could be > related in > >> any way to the problem with big payload ICMP packets? > >> > >> Regards, > >> > >> Joel Esler wrote: > >> > Try writing a pass rule that specifies "icmp" instead of "ip". > >> > > >> > Joel > >> > > >> > On Sep 18, 2006, at 9:44 AM, Federico Petronio wrote: > >> > > >> >> Hello, > >> >> > >> >> I write you to ask about something we found in "snort-inline". > >> I have a > >> >> couple of snort-inline IDS/IPS working and found that when > >> sending ICMP > >> >> packets with payload bigger or equal to 1273 they do no pass > >> thought the > >> >> appliance, but no event is generated either. With smaller > >> packets the > >> >> problem disappears. I also found that if the box is leave in > >> bridge only > >> >> mode (that is without snort running) the problem also > >> disappears. I > >> >> included special pass rules to be sure that the packets > to/from > >> the IPs > >> >> where we are testing this are not dropped by other rules. > >> >> > >> >> The installation consists of a box with Linux 2.6.8-2-k7 with > >> EBTABLES > >> >> support. Snort-Inline is version 2.3.0 (Build 10). This is > the most > >> >> important part of the configuration: > >> >> > >> >> var EXTERNAL_NET any > >> >> var EXCLUDEDSRCIPS [ 10.2.1.116 <http://10.2.1.116> > <http://10.2.1.116>] > >> >> preprocessor flow: stats_interval 0 hash 2 > >> >> preprocessor rpc_decode: 111 32771 > >> >> preprocessor telnet_decode > >> >> preprocessor perfmonitor: time 60 pktcnt 1 flow events > >> >> > >> >> config order: activation dynamic pass drop sdrop reject > alert log > >> >> > >> >> pass ip $EXCLUDEDSRCIPS any -> $EXTERNAL_NET any ( sid: > >> 3000204; rev: > >> >> 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: > >> >> not-suspicious;) > >> >> pass ip $EXTERNAL_NET any -> $EXCLUDEDSRCIPS any ( sid: > 3000205; > >> >> rev: 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: > >> >> not-suspicious;) > >> >> > >> >> This is the output of "tcpdump -x -X -s0 -i eth2 icmp and host > >> >> 10.0.14.116 <http://10.0.14.116> < http://10.0.14.116>" > when sniffing one of the > >> interfaces of the brigde (in the > >> >> other I see no related traffic): > >> >> > >> >> 10:02: 00.748763 IP 10.0.14.116 <http://10.0.14.116> > <http://10.0.14.116> > > >> 10.2.1.116 <http://10.2.1.116> <http://10.2.1.116 > <http://10.2.1.116>>: icmp 1280: echo request > >> >> seq 3332 > >> >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 > >> >> ....Nt...+....E. > >> >> 0x0010: 0514 66ea 2000 7f01 8c15 0a00 0e74 0a02 > >> >> ..f..........t.. > >> >> 0x0020: 0174 0800 5571 0200 0d04 6162 6364 6566 > >> >> .t..Uq....abcdef > >> >> 0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> >> ghijklmnopqrstuv > >> >> 0x0040: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> >> wabcdefghijklmno > >> >> 0x0050: 7071 7273 7475 7677 6162 6364 6566 6768 > >> >> pqrstuvwabcdefgh > >> >> 0x0060: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> >> ijklmnopqrstuvwa > >> >> 0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> >> bcdefghijklmnopq > >> >> 0x0080: 7273 7475 7677 6162 6364 6566 6768 696a > >> >> rstuvwabcdefghij > >> >> 0x0090: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> >> klmnopqrstuvwabc > >> >> 0x00a0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> >> defghijklmnopqrs > >> >> 0x00b0: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> >> tuvwabcdefghijkl > >> >> 0x00c0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> >> mnopqrstuvwabcde > >> >> 0x00d0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> >> fghijklmnopqrstu > >> >> 0x00e0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> >> vwabcdefghijklmn > >> >> 0x00f0: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> >> opqrstuvwabcdefg > >> >> 0x0100: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> >> hijklmnopqrstuvw > >> >> 0x0110: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> >> abcdefghijklmnop > >> >> 0x0120: 7172 7374 7576 7761 6263 6465 6667 6869 > >> >> qrstuvwabcdefghi > >> >> 0x0130: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> >> jklmnopqrstuvwab > >> >> 0x0140: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> >> cdefghijklmnopqr > >> >> 0x0150: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> >> stuvwabcdefghijk > >> >> 0x0160: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> >> lmnopqrstuvwabcd > >> >> 0x0170: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> >> efghijklmnopqrst > >> >> 0x0180: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> >> uvwabcdefghijklm > >> >> 0x0190: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> >> nopqrstuvwabcdef > >> >> 0x01a0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> >> ghijklmnopqrstuv > >> >> 0x01b0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> >> wabcdefghijklmno > >> >> 0x01c0: 7071 7273 7475 7677 6162 6364 6566 6768 > >> >> pqrstuvwabcdefgh > >> >> 0x01d0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> >> ijklmnopqrstuvwa > >> >> 0x01e0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> >> bcdefghijklmnopq > >> >> 0x01f0: 7273 7475 7677 6162 6364 6566 6768 696a > >> >> rstuvwabcdefghij > >> >> 0x0200: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> >> klmnopqrstuvwabc > >> >> 0x0210: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> >> defghijklmnopqrs > >> >> 0x0220: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> >> tuvwabcdefghijkl > >> >> 0x0230: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> >> mnopqrstuvwabcde > >> >> 0x0240: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> >> fghijklmnopqrstu > >> >> 0x0250: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> >> vwabcdefghijklmn > >> >> 0x0260: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> >> opqrstuvwabcdefg > >> >> 0x0270: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> >> hijklmnopqrstuvw > >> >> 0x0280: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> >> abcdefghijklmnop > >> >> 0x0290: 7172 7374 7576 7761 6263 6465 6667 6869 > >> >> qrstuvwabcdefghi > >> >> 0x02a0: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> >> jklmnopqrstuvwab > >> >> 0x02b0: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> >> cdefghijklmnopqr > >> >> 0x02c0: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> >> stuvwabcdefghijk > >> >> 0x02d0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> >> lmnopqrstuvwabcd > >> >> 0x02e0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> >> efghijklmnopqrst > >> >> 0x02f0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> >> uvwabcdefghijklm > >> >> 0x0300: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> >> nopqrstuvwabcdef > >> >> 0x0310: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> >> ghijklmnopqrstuv > >> >> 0x0320: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> >> wabcdefghijklmno > >> >> 0x0330: 7071 7273 7475 7677 6162 6364 6566 6768 > >> >> pqrstuvwabcdefgh > >> >> 0x0340: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> >> ijklmnopqrstuvwa > >> >> 0x0350: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> >> bcdefghijklmnopq > >> >> 0x0360: 7273 7475 7677 6162 6364 6566 6768 696a > >> >> rstuvwabcdefghij > >> >> 0x0370: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> >> klmnopqrstuvwabc > >> >> 0x0380: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> >> defghijklmnopqrs > >> >> 0x0390: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> >> tuvwabcdefghijkl > >> >> 0x03a0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> >> mnopqrstuvwabcde > >> >> 0x03b0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> >> fghijklmnopqrstu > >> >> 0x03c0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> >> vwabcdefghijklmn > >> >> 0x03d0: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> >> opqrstuvwabcdefg > >> >> 0x03e0: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> >> hijklmnopqrstuvw > >> >> 0x03f0: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> >> abcdefghijklmnop > >> >> 0x0400: 7172 7374 7576 7761 6263 6465 6667 6869 > >> >> qrstuvwabcdefghi > >> >> 0x0410: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> >> jklmnopqrstuvwab > >> >> 0x0420: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> >> cdefghijklmnopqr > >> >> 0x0430: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> >> stuvwabcdefghijk > >> >> 0x0440: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> >> lmnopqrstuvwabcd > >> >> 0x0450: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> >> efghijklmnopqrst > >> >> 0x0460: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> >> uvwabcdefghijklm > >> >> 0x0470: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> >> nopqrstuvwabcdef > >> >> 0x0480: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> >> ghijklmnopqrstuv > >> >> 0x0490: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> >> wabcdefghijklmno > >> >> 0x04a0: 7071 7273 7475 7677 6162 6364 6566 6768 > >> >> pqrstuvwabcdefgh > >> >> 0x04b0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> >> ijklmnopqrstuvwa > >> >> 0x04c0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> >> bcdefghijklmnopq > >> >> 0x04d0: 7273 7475 7677 6162 6364 6566 6768 696a > >> >> rstuvwabcdefghij > >> >> 0x04e0: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> >> klmnopqrstuvwabc > >> >> 0x04f0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> >> defghijklmnopqrs > >> >> 0x0500: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> >> tuvwabcdefghijkl > >> >> 0x0510: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> >> mnopqrstuvwabcde > >> >> 0x0520: 6667 fg > >> >> 10:02:00.748782 IP 10.0.14.116 <http://10.0.14.116> < > http://10.0.14.116> > > >> 10.2.1.116 <http://10.2.1.116> <http://10.2.1.116>: icmp > >> >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 > >> >> ....Nt...+....E. > >> >> 0x0010: 00f8 66ea 00a0 7f01 af91 0a00 0e74 0a02 > >> >> ..f..........t.. > >> >> 0x0020: 0174 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> >> .thijklmnopqrstu > >> >> 0x0030: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> >> vwabcdefghijklmn > >> >> 0x0040: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> >> opqrstuvwabcdefg > >> >> 0x0050: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> >> hijklmnopqrstuvw > >> >> 0x0060: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> >> abcdefghijklmnop > >> >> 0x0070: 7172 7374 7576 7761 6263 6465 6667 6869 > >> >> qrstuvwabcdefghi > >> >> 0x0080: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> >> jklmnopqrstuvwab > >> >> 0x0090: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> >> cdefghijklmnopqr > >> >> 0x00a0: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> >> stuvwabcdefghijk > >> >> 0x00b0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> >> lmnopqrstuvwabcd > >> >> 0x00c0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> >> efghijklmnopqrst > >> >> 0x00d0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> >> uvwabcdefghijklm > >> >> 0x00e0: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> >> nopqrstuvwabcdef > >> >> 0x00f0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> >> ghijklmnopqrstuv > >> >> 0x0100: 7761 6263 6465 > wabcde > >> >> > >> >> Any help on this subject would be appreciated. > >> >> > >> >> Regards, > >> >> -- > >> >> Federico Petronio > >> >> > pe...@ac... <mailto:pe...@ac...> > >> <mailto:pe...@ac... <mailto:pe...@ac...>> > >> >> Linux User #129974 > >> >> > >> >> > >> >> > >> >> > >> > ------------------------------------------------------------------------- > > >> > >> >> Using Tomcat but need to do more? Need to support web > services, > >> security? > >> >> Get stuff done quickly with pre-integrated technology to make > >> your job > >> >> easier > >> >> Download IBM WebSphere Application Server v.1.0.1 based on > Apache > >> >> Geronimo > >> >> > >> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > <http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642> > >> > <http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > <http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642>> > >> >> _______________________________________________ > >> >> Snort-inline-users mailing list > >> >> Sno...@li... > <mailto:Sno...@li...> > >> <mailto:Sno...@li... > <mailto:Sno...@li...>> > >> >> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> >> > >> > > >> > > >> > +---------------------------------------------------------------------+ > >> > >> > joel esler senior security consultant > >> 1-706-627-2101 > >> > Sourcefire Security for the /Real/ World -- > >> http://www.sourcefire.com > >> > Snort - Open Source Network IPS/IDS -- > http://www.snort.org > >> > gpg key: http://demo.sourcefire.com/jesler.pgp.key > >> > aim:eslerjoel ymsg:eslerjoel gtalk:eslerj > >> > > >> > +---------------------------------------------------------------------+ > >> > > >> > > >> > > >> > >> -- > >> Federico Petronio > >> > pe...@ac... <mailto:pe...@ac...> > >> <mailto:pe...@ac... <mailto:pe...@ac...>> > >> > >> > >> > ------------------------------------------------------------------------- > > >> Take Surveys. Earn Cash. Influence the Future of IT > >> Join SourceForge.net's Techsay panel and you'll get the chance to > >> share your > >> opinions on IT & business topics through brief surveys -- and > earn > >> cash > >> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > >> < > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>> > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > <mailto:Sno...@li...> > >> <mailto: Sno...@li... > <mailto:Sno...@li...>> > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > >> > >> > ------------------------------------------------------------------------ > >> > >> > ------------------------------------------------------------------------- > >> Take Surveys. Earn Cash. Influence the Future of IT > >> Join SourceForge.net's Techsay panel and you'll get the chance to > share your > >> opinions on IT & business topics through brief surveys -- and > earn cash > >> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > >> > >> > ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > <mailto:Sno...@li...> > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > >> > > > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > > opinions on IT & business topics through brief surveys -- and earn > cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > <mailto:Sno...@li...> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > -- > Federico Petronio > pe...@ac... > <mailto:pe...@ac...> > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > <mailto:Sno...@li...> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- Federico Petronio pe...@ac... |
|
From: Federico P. <pe...@ac...> - 2006-09-19 18:01:39
|
Thank you very much to all how answered. I'll try first the config checksum_mode: none solution. Do you plan to make available new binaries with this issue corrected? Regards, Adam Keeton wrote: > It almost definitely has to do with optimizations. GCC 4.x.x comes with > numerous changes to its optimizations, one of which involves aliasing. > Our makefiles compile Snort with optimization level 2, and -O2 makes the > assumption that the code adheres to strict aliasing rules. We recently > discovered this breaks some checksums. Older GCCs are fine. > > If you check out the latest code from our CVS, the new configure script > adds the necessary compiler flag to fix the issue when necessary. > Alternatively, you should be able to do: "CFLAGS=-fno-strict-aliasing > ./configure && make clean && make" > > Thanks, > Adam > > Will Metcalf wrote: > >> something is screwed with the checksum calculations for large ICMP >> packets, think it has to do with compiler optimizations. set >> >> config checksum_mode: none >> >> in your snort_inline.conf, should fix your problem..... >> >> Regards, >> >> Will >> >> On 9/18/06, *Federico Petronio* <pe...@ac... >> <mailto:pe...@ac...>> wrote: >> >> Actually we use theses rules because we need not only ICMP but all >> IP to >> pass for some IP addresses. Do you think that that could be related in >> any way to the problem with big payload ICMP packets? >> >> Regards, >> >> Joel Esler wrote: >> > Try writing a pass rule that specifies "icmp" instead of "ip". >> > >> > Joel >> > >> > On Sep 18, 2006, at 9:44 AM, Federico Petronio wrote: >> > >> >> Hello, >> >> >> >> I write you to ask about something we found in "snort-inline". >> I have a >> >> couple of snort-inline IDS/IPS working and found that when >> sending ICMP >> >> packets with payload bigger or equal to 1273 they do no pass >> thought the >> >> appliance, but no event is generated either. With smaller >> packets the >> >> problem disappears. I also found that if the box is leave in >> bridge only >> >> mode (that is without snort running) the problem also >> disappears. I >> >> included special pass rules to be sure that the packets to/from >> the IPs >> >> where we are testing this are not dropped by other rules. >> >> >> >> The installation consists of a box with Linux 2.6.8-2-k7 with >> EBTABLES >> >> support. Snort-Inline is version 2.3.0 (Build 10). This is the most >> >> important part of the configuration: >> >> >> >> var EXTERNAL_NET any >> >> var EXCLUDEDSRCIPS [ 10.2.1.116 <http://10.2.1.116>] >> >> preprocessor flow: stats_interval 0 hash 2 >> >> preprocessor rpc_decode: 111 32771 >> >> preprocessor telnet_decode >> >> preprocessor perfmonitor: time 60 pktcnt 1 flow events >> >> >> >> config order: activation dynamic pass drop sdrop reject alert log >> >> >> >> pass ip $EXCLUDEDSRCIPS any -> $EXTERNAL_NET any ( sid: >> 3000204; rev: >> >> 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: >> >> not-suspicious;) >> >> pass ip $EXTERNAL_NET any -> $EXCLUDEDSRCIPS any ( sid: 3000205; >> >> rev: 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: >> >> not-suspicious;) >> >> >> >> This is the output of "tcpdump -x -X -s0 -i eth2 icmp and host >> >> 10.0.14.116 <http://10.0.14.116>" when sniffing one of the >> interfaces of the brigde (in the >> >> other I see no related traffic): >> >> >> >> 10:02:00.748763 IP 10.0.14.116 <http://10.0.14.116> > >> 10.2.1.116 <http://10.2.1.116>: icmp 1280: echo request >> >> seq 3332 >> >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 >> >> ....Nt...+....E. >> >> 0x0010: 0514 66ea 2000 7f01 8c15 0a00 0e74 0a02 >> >> ..f..........t.. >> >> 0x0020: 0174 0800 5571 0200 0d04 6162 6364 6566 >> >> .t..Uq....abcdef >> >> 0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >> >> ghijklmnopqrstuv >> >> 0x0040: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f >> >> wabcdefghijklmno >> >> 0x0050: 7071 7273 7475 7677 6162 6364 6566 6768 >> >> pqrstuvwabcdefgh >> >> 0x0060: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 >> >> ijklmnopqrstuvwa >> >> 0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 >> >> bcdefghijklmnopq >> >> 0x0080: 7273 7475 7677 6162 6364 6566 6768 696a >> >> rstuvwabcdefghij >> >> 0x0090: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 >> >> klmnopqrstuvwabc >> >> 0x00a0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 >> >> defghijklmnopqrs >> >> 0x00b0: 7475 7677 6162 6364 6566 6768 696a 6b6c >> >> tuvwabcdefghijkl >> >> 0x00c0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 >> >> mnopqrstuvwabcde >> >> 0x00d0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 >> >> fghijklmnopqrstu >> >> 0x00e0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e >> >> vwabcdefghijklmn >> >> 0x00f0: 6f70 7172 7374 7576 7761 6263 6465 6667 >> >> opqrstuvwabcdefg >> >> 0x0100: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 >> >> hijklmnopqrstuvw >> >> 0x0110: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 >> >> abcdefghijklmnop >> >> 0x0120: 7172 7374 7576 7761 6263 6465 6667 6869 >> >> qrstuvwabcdefghi >> >> 0x0130: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 >> >> jklmnopqrstuvwab >> >> 0x0140: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 >> >> cdefghijklmnopqr >> >> 0x0150: 7374 7576 7761 6263 6465 6667 6869 6a6b >> >> stuvwabcdefghijk >> >> 0x0160: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 >> >> lmnopqrstuvwabcd >> >> 0x0170: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 >> >> efghijklmnopqrst >> >> 0x0180: 7576 7761 6263 6465 6667 6869 6a6b 6c6d >> >> uvwabcdefghijklm >> >> 0x0190: 6e6f 7071 7273 7475 7677 6162 6364 6566 >> >> nopqrstuvwabcdef >> >> 0x01a0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >> >> ghijklmnopqrstuv >> >> 0x01b0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f >> >> wabcdefghijklmno >> >> 0x01c0: 7071 7273 7475 7677 6162 6364 6566 6768 >> >> pqrstuvwabcdefgh >> >> 0x01d0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 >> >> ijklmnopqrstuvwa >> >> 0x01e0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 >> >> bcdefghijklmnopq >> >> 0x01f0: 7273 7475 7677 6162 6364 6566 6768 696a >> >> rstuvwabcdefghij >> >> 0x0200: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 >> >> klmnopqrstuvwabc >> >> 0x0210: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 >> >> defghijklmnopqrs >> >> 0x0220: 7475 7677 6162 6364 6566 6768 696a 6b6c >> >> tuvwabcdefghijkl >> >> 0x0230: 6d6e 6f70 7172 7374 7576 7761 6263 6465 >> >> mnopqrstuvwabcde >> >> 0x0240: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 >> >> fghijklmnopqrstu >> >> 0x0250: 7677 6162 6364 6566 6768 696a 6b6c 6d6e >> >> vwabcdefghijklmn >> >> 0x0260: 6f70 7172 7374 7576 7761 6263 6465 6667 >> >> opqrstuvwabcdefg >> >> 0x0270: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 >> >> hijklmnopqrstuvw >> >> 0x0280: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 >> >> abcdefghijklmnop >> >> 0x0290: 7172 7374 7576 7761 6263 6465 6667 6869 >> >> qrstuvwabcdefghi >> >> 0x02a0: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 >> >> jklmnopqrstuvwab >> >> 0x02b0: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 >> >> cdefghijklmnopqr >> >> 0x02c0: 7374 7576 7761 6263 6465 6667 6869 6a6b >> >> stuvwabcdefghijk >> >> 0x02d0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 >> >> lmnopqrstuvwabcd >> >> 0x02e0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 >> >> efghijklmnopqrst >> >> 0x02f0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d >> >> uvwabcdefghijklm >> >> 0x0300: 6e6f 7071 7273 7475 7677 6162 6364 6566 >> >> nopqrstuvwabcdef >> >> 0x0310: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >> >> ghijklmnopqrstuv >> >> 0x0320: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f >> >> wabcdefghijklmno >> >> 0x0330: 7071 7273 7475 7677 6162 6364 6566 6768 >> >> pqrstuvwabcdefgh >> >> 0x0340: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 >> >> ijklmnopqrstuvwa >> >> 0x0350: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 >> >> bcdefghijklmnopq >> >> 0x0360: 7273 7475 7677 6162 6364 6566 6768 696a >> >> rstuvwabcdefghij >> >> 0x0370: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 >> >> klmnopqrstuvwabc >> >> 0x0380: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 >> >> defghijklmnopqrs >> >> 0x0390: 7475 7677 6162 6364 6566 6768 696a 6b6c >> >> tuvwabcdefghijkl >> >> 0x03a0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 >> >> mnopqrstuvwabcde >> >> 0x03b0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 >> >> fghijklmnopqrstu >> >> 0x03c0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e >> >> vwabcdefghijklmn >> >> 0x03d0: 6f70 7172 7374 7576 7761 6263 6465 6667 >> >> opqrstuvwabcdefg >> >> 0x03e0: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 >> >> hijklmnopqrstuvw >> >> 0x03f0: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 >> >> abcdefghijklmnop >> >> 0x0400: 7172 7374 7576 7761 6263 6465 6667 6869 >> >> qrstuvwabcdefghi >> >> 0x0410: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 >> >> jklmnopqrstuvwab >> >> 0x0420: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 >> >> cdefghijklmnopqr >> >> 0x0430: 7374 7576 7761 6263 6465 6667 6869 6a6b >> >> stuvwabcdefghijk >> >> 0x0440: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 >> >> lmnopqrstuvwabcd >> >> 0x0450: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 >> >> efghijklmnopqrst >> >> 0x0460: 7576 7761 6263 6465 6667 6869 6a6b 6c6d >> >> uvwabcdefghijklm >> >> 0x0470: 6e6f 7071 7273 7475 7677 6162 6364 6566 >> >> nopqrstuvwabcdef >> >> 0x0480: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >> >> ghijklmnopqrstuv >> >> 0x0490: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f >> >> wabcdefghijklmno >> >> 0x04a0: 7071 7273 7475 7677 6162 6364 6566 6768 >> >> pqrstuvwabcdefgh >> >> 0x04b0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 >> >> ijklmnopqrstuvwa >> >> 0x04c0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 >> >> bcdefghijklmnopq >> >> 0x04d0: 7273 7475 7677 6162 6364 6566 6768 696a >> >> rstuvwabcdefghij >> >> 0x04e0: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 >> >> klmnopqrstuvwabc >> >> 0x04f0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 >> >> defghijklmnopqrs >> >> 0x0500: 7475 7677 6162 6364 6566 6768 696a 6b6c >> >> tuvwabcdefghijkl >> >> 0x0510: 6d6e 6f70 7172 7374 7576 7761 6263 6465 >> >> mnopqrstuvwabcde >> >> 0x0520: 6667 fg >> >> 10:02:00.748782 IP 10.0.14.116 <http://10.0.14.116> > >> 10.2.1.116 <http://10.2.1.116>: icmp >> >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 >> >> ....Nt...+....E. >> >> 0x0010: 00f8 66ea 00a0 7f01 af91 0a00 0e74 0a02 >> >> ..f..........t.. >> >> 0x0020: 0174 6869 6a6b 6c6d 6e6f 7071 7273 7475 >> >> .thijklmnopqrstu >> >> 0x0030: 7677 6162 6364 6566 6768 696a 6b6c 6d6e >> >> vwabcdefghijklmn >> >> 0x0040: 6f70 7172 7374 7576 7761 6263 6465 6667 >> >> opqrstuvwabcdefg >> >> 0x0050: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 >> >> hijklmnopqrstuvw >> >> 0x0060: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 >> >> abcdefghijklmnop >> >> 0x0070: 7172 7374 7576 7761 6263 6465 6667 6869 >> >> qrstuvwabcdefghi >> >> 0x0080: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 >> >> jklmnopqrstuvwab >> >> 0x0090: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 >> >> cdefghijklmnopqr >> >> 0x00a0: 7374 7576 7761 6263 6465 6667 6869 6a6b >> >> stuvwabcdefghijk >> >> 0x00b0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 >> >> lmnopqrstuvwabcd >> >> 0x00c0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 >> >> efghijklmnopqrst >> >> 0x00d0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d >> >> uvwabcdefghijklm >> >> 0x00e0: 6e6f 7071 7273 7475 7677 6162 6364 6566 >> >> nopqrstuvwabcdef >> >> 0x00f0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >> >> ghijklmnopqrstuv >> >> 0x0100: 7761 6263 6465 wabcde >> >> >> >> Any help on this subject would be appreciated. >> >> >> >> Regards, >> >> -- >> >> Federico Petronio >> >> pe...@ac... >> <mailto:pe...@ac...> >> >> Linux User #129974 >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------- >> >> >> Using Tomcat but need to do more? Need to support web services, >> security? >> >> Get stuff done quickly with pre-integrated technology to make >> your job >> >> easier >> >> Download IBM WebSphere Application Server v.1.0.1 based on Apache >> >> Geronimo >> >> >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> <http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642> >> >> _______________________________________________ >> >> Snort-inline-users mailing list >> >> Sno...@li... >> <mailto:Sno...@li...> >> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> > >> > >> +---------------------------------------------------------------------+ >> >> > joel esler senior security consultant >> 1-706-627-2101 >> > Sourcefire Security for the /Real/ World -- >> http://www.sourcefire.com >> > Snort - Open Source Network IPS/IDS -- http://www.snort.org >> > gpg key: http://demo.sourcefire.com/jesler.pgp.key >> > aim:eslerjoel ymsg:eslerjoel gtalk:eslerj >> > >> +---------------------------------------------------------------------+ >> > >> > >> > >> >> -- >> Federico Petronio >> pe...@ac... >> <mailto:pe...@ac...> >> >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys -- and earn >> cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> <mailto:Sno...@li...> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share your >> opinions on IT & business topics through brief surveys -- and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -- Federico Petronio pe...@ac... |
|
From: Dave R. <da...@re...> - 2006-09-19 15:34:42
|
Folks,
The note from Earl and the snort folks is right, as far as it goes - I've
also experienced checksum corruption at -O2 and above with some GCC 3.X
versions.
Cheers,
Dave
---------- Forwarded message ----------
Date: Tue, 19 Sep 2006 10:05:27 -0400
From: Earl <esa...@hu...>
To: <sno...@li...>, <da...@re...>
Subject: Re: [Snort-inline-users] Snort-inline-users Digest, Vol 4, Issue 8
All,
>From the latest snort changelog FYI...
2006-09-13 - Snort 2.6.0.2 Released
[*] Known Issues
* With compiler optimizations when using gcc 4.x, sometimes we see
fewer alerts being generated because of failed checksum
calculations. To work around this issue, manually set the compiler
optimization to -O0 or -O1. An additional work around is to ignore
checksums or compile using debug (--enable-debug option to
configure), which forces -O0. This has been seen on 32-bit
installations of FC5, Ubuntu and SUSE10 platforms. This may occur
for other platforms with gcc 4.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
|
|
From: Earl <esa...@hu...> - 2006-09-19 14:06:10
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
>From the latest snort changelog FYI...
2006-09-13 - Snort 2.6.0.2 Released
[*] New Additions
* Added a DNS preprocessor and protocol decoder. See the
README.dns
for details.
[*] Known Issues
* With compiler optimizations when using gcc 4.x, sometimes we
see
fewer alerts being generated because of failed checksum
calculations.
To work around this issue, manually set the compiler
optimization
to -O0 or -O1. An additional work around is to ignore
checksums
or compile using debug (--enable-debug option to configure),
which
forces -O0. This has been seen on 32-bit installations of
FC5, Ubuntu
and SUSE10 platforms. This may occur for other platforms
with gcc 4.
On Mon, 18 Sep 2006 22:34:54 -0400 Dave Remien
<da...@re...> wrote:
>+oops missed the second e-mail. Yeah what Jason said, if you add
>ACCEPT
>+rules before your QUEUE rules in iptables this would save you
>some cycles.
>+Also if all of your other traffic passes ok and you still have a
>problem
>+with large icmp packets you can also set
>+
>+config checksum_mode: noicmp
>
>I've had problems with gcc and optimization of the snort checksum
>routines
>in the past - certain version of gcc optimize those routines into
>invalid
>code.
>
>Easiest things are to try a different version of gcc, or turn off
>optimization for the checksumming code.
>
>Regards,
>
>Dave
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>
>-------------------------------------------------------------------
>------
>Take Surveys. Earn Cash. Influence the Future of IT
>Join SourceForge.net's Techsay panel and you'll get the chance to
>share your
>opinions on IT & business topics through brief surveys -- and earn
>cash
>http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=
>DEVDEV
>_______________________________________________
>Snort-inline-users mailing list
>Sno...@li...
>https://lists.sourceforge.net/lists/listinfo/snort-inline-users
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5
wkYEARECAAYFAkUQA1IACgkQk7+e+4lPSm1CwQCfSj87uYzbdVfD+2+GJrb4YeXb+HkA
n0aLjwPrNxrgBQarFcYvIyotylMc
=8J2w
-----END PGP SIGNATURE-----
|
|
From: Adam K. <ak...@so...> - 2006-09-19 13:57:19
|
It almost definitely has to do with optimizations. GCC 4.x.x comes with numerous changes to its optimizations, one of which involves aliasing. Our makefiles compile Snort with optimization level 2, and -O2 makes the assumption that the code adheres to strict aliasing rules. We recently discovered this breaks some checksums. Older GCCs are fine. If you check out the latest code from our CVS, the new configure script adds the necessary compiler flag to fix the issue when necessary. Alternatively, you should be able to do: "CFLAGS=-fno-strict-aliasing ./configure && make clean && make" Thanks, Adam Will Metcalf wrote: > something is screwed with the checksum calculations for large ICMP > packets, think it has to do with compiler optimizations. set > > config checksum_mode: none > > in your snort_inline.conf, should fix your problem..... > > Regards, > > Will > > On 9/18/06, *Federico Petronio* <pe...@ac... > <mailto:pe...@ac...>> wrote: > > Actually we use theses rules because we need not only ICMP but all > IP to > pass for some IP addresses. Do you think that that could be related in > any way to the problem with big payload ICMP packets? > > Regards, > > Joel Esler wrote: > > Try writing a pass rule that specifies "icmp" instead of "ip". > > > > Joel > > > > On Sep 18, 2006, at 9:44 AM, Federico Petronio wrote: > > > >> Hello, > >> > >> I write you to ask about something we found in "snort-inline". > I have a > >> couple of snort-inline IDS/IPS working and found that when > sending ICMP > >> packets with payload bigger or equal to 1273 they do no pass > thought the > >> appliance, but no event is generated either. With smaller > packets the > >> problem disappears. I also found that if the box is leave in > bridge only > >> mode (that is without snort running) the problem also > disappears. I > >> included special pass rules to be sure that the packets to/from > the IPs > >> where we are testing this are not dropped by other rules. > >> > >> The installation consists of a box with Linux 2.6.8-2-k7 with > EBTABLES > >> support. Snort-Inline is version 2.3.0 (Build 10). This is the most > >> important part of the configuration: > >> > >> var EXTERNAL_NET any > >> var EXCLUDEDSRCIPS [ 10.2.1.116 <http://10.2.1.116>] > >> preprocessor flow: stats_interval 0 hash 2 > >> preprocessor rpc_decode: 111 32771 > >> preprocessor telnet_decode > >> preprocessor perfmonitor: time 60 pktcnt 1 flow events > >> > >> config order: activation dynamic pass drop sdrop reject alert log > >> > >> pass ip $EXCLUDEDSRCIPS any -> $EXTERNAL_NET any ( sid: > 3000204; rev: > >> 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: > >> not-suspicious;) > >> pass ip $EXTERNAL_NET any -> $EXCLUDEDSRCIPS any ( sid: 3000205; > >> rev: 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: > >> not-suspicious;) > >> > >> This is the output of "tcpdump -x -X -s0 -i eth2 icmp and host > >> 10.0.14.116 <http://10.0.14.116>" when sniffing one of the > interfaces of the brigde (in the > >> other I see no related traffic): > >> > >> 10:02:00.748763 IP 10.0.14.116 <http://10.0.14.116> > > 10.2.1.116 <http://10.2.1.116>: icmp 1280: echo request > >> seq 3332 > >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 > >> ....Nt...+....E. > >> 0x0010: 0514 66ea 2000 7f01 8c15 0a00 0e74 0a02 > >> ..f..........t.. > >> 0x0020: 0174 0800 5571 0200 0d04 6162 6364 6566 > >> .t..Uq....abcdef > >> 0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x0040: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> wabcdefghijklmno > >> 0x0050: 7071 7273 7475 7677 6162 6364 6566 6768 > >> pqrstuvwabcdefgh > >> 0x0060: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> ijklmnopqrstuvwa > >> 0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> bcdefghijklmnopq > >> 0x0080: 7273 7475 7677 6162 6364 6566 6768 696a > >> rstuvwabcdefghij > >> 0x0090: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> klmnopqrstuvwabc > >> 0x00a0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> defghijklmnopqrs > >> 0x00b0: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> tuvwabcdefghijkl > >> 0x00c0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> mnopqrstuvwabcde > >> 0x00d0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> fghijklmnopqrstu > >> 0x00e0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> vwabcdefghijklmn > >> 0x00f0: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> opqrstuvwabcdefg > >> 0x0100: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> hijklmnopqrstuvw > >> 0x0110: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> abcdefghijklmnop > >> 0x0120: 7172 7374 7576 7761 6263 6465 6667 6869 > >> qrstuvwabcdefghi > >> 0x0130: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> jklmnopqrstuvwab > >> 0x0140: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> cdefghijklmnopqr > >> 0x0150: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> stuvwabcdefghijk > >> 0x0160: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> lmnopqrstuvwabcd > >> 0x0170: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> efghijklmnopqrst > >> 0x0180: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> uvwabcdefghijklm > >> 0x0190: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> nopqrstuvwabcdef > >> 0x01a0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x01b0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> wabcdefghijklmno > >> 0x01c0: 7071 7273 7475 7677 6162 6364 6566 6768 > >> pqrstuvwabcdefgh > >> 0x01d0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> ijklmnopqrstuvwa > >> 0x01e0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> bcdefghijklmnopq > >> 0x01f0: 7273 7475 7677 6162 6364 6566 6768 696a > >> rstuvwabcdefghij > >> 0x0200: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> klmnopqrstuvwabc > >> 0x0210: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> defghijklmnopqrs > >> 0x0220: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> tuvwabcdefghijkl > >> 0x0230: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> mnopqrstuvwabcde > >> 0x0240: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> fghijklmnopqrstu > >> 0x0250: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> vwabcdefghijklmn > >> 0x0260: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> opqrstuvwabcdefg > >> 0x0270: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> hijklmnopqrstuvw > >> 0x0280: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> abcdefghijklmnop > >> 0x0290: 7172 7374 7576 7761 6263 6465 6667 6869 > >> qrstuvwabcdefghi > >> 0x02a0: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> jklmnopqrstuvwab > >> 0x02b0: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> cdefghijklmnopqr > >> 0x02c0: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> stuvwabcdefghijk > >> 0x02d0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> lmnopqrstuvwabcd > >> 0x02e0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> efghijklmnopqrst > >> 0x02f0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> uvwabcdefghijklm > >> 0x0300: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> nopqrstuvwabcdef > >> 0x0310: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x0320: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> wabcdefghijklmno > >> 0x0330: 7071 7273 7475 7677 6162 6364 6566 6768 > >> pqrstuvwabcdefgh > >> 0x0340: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> ijklmnopqrstuvwa > >> 0x0350: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> bcdefghijklmnopq > >> 0x0360: 7273 7475 7677 6162 6364 6566 6768 696a > >> rstuvwabcdefghij > >> 0x0370: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> klmnopqrstuvwabc > >> 0x0380: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> defghijklmnopqrs > >> 0x0390: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> tuvwabcdefghijkl > >> 0x03a0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> mnopqrstuvwabcde > >> 0x03b0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> fghijklmnopqrstu > >> 0x03c0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> vwabcdefghijklmn > >> 0x03d0: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> opqrstuvwabcdefg > >> 0x03e0: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> hijklmnopqrstuvw > >> 0x03f0: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> abcdefghijklmnop > >> 0x0400: 7172 7374 7576 7761 6263 6465 6667 6869 > >> qrstuvwabcdefghi > >> 0x0410: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> jklmnopqrstuvwab > >> 0x0420: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> cdefghijklmnopqr > >> 0x0430: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> stuvwabcdefghijk > >> 0x0440: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> lmnopqrstuvwabcd > >> 0x0450: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> efghijklmnopqrst > >> 0x0460: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> uvwabcdefghijklm > >> 0x0470: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> nopqrstuvwabcdef > >> 0x0480: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x0490: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> wabcdefghijklmno > >> 0x04a0: 7071 7273 7475 7677 6162 6364 6566 6768 > >> pqrstuvwabcdefgh > >> 0x04b0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> ijklmnopqrstuvwa > >> 0x04c0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> bcdefghijklmnopq > >> 0x04d0: 7273 7475 7677 6162 6364 6566 6768 696a > >> rstuvwabcdefghij > >> 0x04e0: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> klmnopqrstuvwabc > >> 0x04f0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> defghijklmnopqrs > >> 0x0500: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> tuvwabcdefghijkl > >> 0x0510: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> mnopqrstuvwabcde > >> 0x0520: 6667 fg > >> 10:02:00.748782 IP 10.0.14.116 <http://10.0.14.116> > > 10.2.1.116 <http://10.2.1.116>: icmp > >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 > >> ....Nt...+....E. > >> 0x0010: 00f8 66ea 00a0 7f01 af91 0a00 0e74 0a02 > >> ..f..........t.. > >> 0x0020: 0174 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> .thijklmnopqrstu > >> 0x0030: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> vwabcdefghijklmn > >> 0x0040: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> opqrstuvwabcdefg > >> 0x0050: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> hijklmnopqrstuvw > >> 0x0060: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> abcdefghijklmnop > >> 0x0070: 7172 7374 7576 7761 6263 6465 6667 6869 > >> qrstuvwabcdefghi > >> 0x0080: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> jklmnopqrstuvwab > >> 0x0090: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> cdefghijklmnopqr > >> 0x00a0: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> stuvwabcdefghijk > >> 0x00b0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> lmnopqrstuvwabcd > >> 0x00c0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> efghijklmnopqrst > >> 0x00d0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> uvwabcdefghijklm > >> 0x00e0: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> nopqrstuvwabcdef > >> 0x00f0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x0100: 7761 6263 6465 wabcde > >> > >> Any help on this subject would be appreciated. > >> > >> Regards, > >> -- > >> Federico Petronio > >> pe...@ac... > <mailto:pe...@ac...> > >> Linux User #129974 > >> > >> > >> > >> > ------------------------------------------------------------------------- > > >> Using Tomcat but need to do more? Need to support web services, > security? > >> Get stuff done quickly with pre-integrated technology to make > your job > >> easier > >> Download IBM WebSphere Application Server v.1.0.1 based on Apache > >> Geronimo > >> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > <http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642> > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > <mailto:Sno...@li...> > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > > > > > +---------------------------------------------------------------------+ > > > joel esler senior security consultant > 1-706-627-2101 > > Sourcefire Security for the /Real/ World -- > http://www.sourcefire.com > > Snort - Open Source Network IPS/IDS -- http://www.snort.org > > gpg key: http://demo.sourcefire.com/jesler.pgp.key > > aim:eslerjoel ymsg:eslerjoel gtalk:eslerj > > > +---------------------------------------------------------------------+ > > > > > > > > -- > Federico Petronio > pe...@ac... > <mailto:pe...@ac...> > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys -- and earn > cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > <mailto:Sno...@li...> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------- >Take Surveys. Earn Cash. Influence the Future of IT >Join SourceForge.net's Techsay panel and you'll get the chance to share your >opinions on IT & business topics through brief surveys -- and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > >------------------------------------------------------------------------ > >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Dave R. <da...@re...> - 2006-09-19 02:35:05
|
+oops missed the second e-mail. Yeah what Jason said, if you add ACCEPT +rules before your QUEUE rules in iptables this would save you some cycles. +Also if all of your other traffic passes ok and you still have a problem +with large icmp packets you can also set + +config checksum_mode: noicmp I've had problems with gcc and optimization of the snort checksum routines in the past - certain version of gcc optimize those routines into invalid code. Easiest things are to try a different version of gcc, or turn off optimization for the checksumming code. Regards, Dave -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
|
From: Will M. <wil...@gm...> - 2006-09-19 01:26:07
|
oops missed the second e-mail. Yeah what Jason said, if you add ACCEPT rules before your QUEUE rules in iptables this would save you some cycles. Also if all of your other traffic passes ok and you still have a problem with large icmp packets you can also set config checksum_mode: noicmp Regards, Will On 9/18/06, Jason <sec...@br...> wrote: > > In the case of all IP it would be more efficient to handle those systems > at the iptables level and never send that traffic to the queue for > inspection. > > Federico Petronio wrote: > > Actually we use theses rules because we need not only ICMP but all IP to > > pass for some IP addresses. Do you think that that could be related in > > any way to the problem with big payload ICMP packets? > > > > Regards, > > > > Joel Esler wrote: > >> Try writing a pass rule that specifies "icmp" instead of "ip". > >> > >> Joel > >> > >> On Sep 18, 2006, at 9:44 AM, Federico Petronio wrote: > >> > >>> Hello, > >>> > >>> I write you to ask about something we found in "snort-inline". I have > a > >>> couple of snort-inline IDS/IPS working and found that when sending > ICMP > >>> packets with payload bigger or equal to 1273 they do no pass thought > the > >>> appliance, but no event is generated either. With smaller packets the > >>> problem disappears. I also found that if the box is leave in bridge > only > >>> mode (that is without snort running) the problem also disappears. I > >>> included special pass rules to be sure that the packets to/from the > IPs > >>> where we are testing this are not dropped by other rules. > >>> > >>> The installation consists of a box with Linux 2.6.8-2-k7 with EBTABLES > >>> support. Snort-Inline is version 2.3.0 (Build 10). This is the most > >>> important part of the configuration: > >>> > >>> var EXTERNAL_NET any > >>> var EXCLUDEDSRCIPS [10.2.1.116] > >>> preprocessor flow: stats_interval 0 hash 2 > >>> preprocessor rpc_decode: 111 32771 > >>> preprocessor telnet_decode > >>> preprocessor perfmonitor: time 60 pktcnt 1 flow events > >>> > >>> config order: activation dynamic pass drop sdrop reject alert log > >>> > >>> pass ip $EXCLUDEDSRCIPS any -> $EXTERNAL_NET any ( sid: 3000204; rev: > >>> 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: > >>> not-suspicious;) > >>> pass ip $EXTERNAL_NET any -> $EXCLUDEDSRCIPS any ( sid: 3000205; > >>> rev: 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: > >>> not-suspicious;) > >>> > >>> This is the output of "tcpdump -x -X -s0 -i eth2 icmp and host > >>> 10.0.14.116" when sniffing one of the interfaces of the brigde (in the > >>> other I see no related traffic): > >>> > >>> 10:02:00.748763 IP 10.0.14.116 > 10.2.1.116: icmp 1280: echo request > >>> seq 3332 > >>> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 > >>> ....Nt...+....E. > >>> 0x0010: 0514 66ea 2000 7f01 8c15 0a00 0e74 0a02 > >>> ..f..........t.. > >>> 0x0020: 0174 0800 5571 0200 0d04 6162 6364 6566 > >>> .t..Uq....abcdef > >>> 0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >>> ghijklmnopqrstuv > >>> 0x0040: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >>> wabcdefghijklmno > >>> 0x0050: 7071 7273 7475 7677 6162 6364 6566 6768 > >>> pqrstuvwabcdefgh > >>> 0x0060: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >>> ijklmnopqrstuvwa > >>> 0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >>> bcdefghijklmnopq > >>> 0x0080: 7273 7475 7677 6162 6364 6566 6768 696a > >>> rstuvwabcdefghij > >>> 0x0090: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >>> klmnopqrstuvwabc > >>> 0x00a0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >>> defghijklmnopqrs > >>> 0x00b0: 7475 7677 6162 6364 6566 6768 696a 6b6c > >>> tuvwabcdefghijkl > >>> 0x00c0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >>> mnopqrstuvwabcde > >>> 0x00d0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >>> fghijklmnopqrstu > >>> 0x00e0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >>> vwabcdefghijklmn > >>> 0x00f0: 6f70 7172 7374 7576 7761 6263 6465 6667 > >>> opqrstuvwabcdefg > >>> 0x0100: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >>> hijklmnopqrstuvw > >>> 0x0110: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >>> abcdefghijklmnop > >>> 0x0120: 7172 7374 7576 7761 6263 6465 6667 6869 > >>> qrstuvwabcdefghi > >>> 0x0130: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >>> jklmnopqrstuvwab > >>> 0x0140: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >>> cdefghijklmnopqr > >>> 0x0150: 7374 7576 7761 6263 6465 6667 6869 6a6b > >>> stuvwabcdefghijk > >>> 0x0160: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >>> lmnopqrstuvwabcd > >>> 0x0170: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >>> efghijklmnopqrst > >>> 0x0180: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >>> uvwabcdefghijklm > >>> 0x0190: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >>> nopqrstuvwabcdef > >>> 0x01a0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >>> ghijklmnopqrstuv > >>> 0x01b0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >>> wabcdefghijklmno > >>> 0x01c0: 7071 7273 7475 7677 6162 6364 6566 6768 > >>> pqrstuvwabcdefgh > >>> 0x01d0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >>> ijklmnopqrstuvwa > >>> 0x01e0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >>> bcdefghijklmnopq > >>> 0x01f0: 7273 7475 7677 6162 6364 6566 6768 696a > >>> rstuvwabcdefghij > >>> 0x0200: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >>> klmnopqrstuvwabc > >>> 0x0210: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >>> defghijklmnopqrs > >>> 0x0220: 7475 7677 6162 6364 6566 6768 696a 6b6c > >>> tuvwabcdefghijkl > >>> 0x0230: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >>> mnopqrstuvwabcde > >>> 0x0240: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >>> fghijklmnopqrstu > >>> 0x0250: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >>> vwabcdefghijklmn > >>> 0x0260: 6f70 7172 7374 7576 7761 6263 6465 6667 > >>> opqrstuvwabcdefg > >>> 0x0270: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >>> hijklmnopqrstuvw > >>> 0x0280: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >>> abcdefghijklmnop > >>> 0x0290: 7172 7374 7576 7761 6263 6465 6667 6869 > >>> qrstuvwabcdefghi > >>> 0x02a0: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >>> jklmnopqrstuvwab > >>> 0x02b0: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >>> cdefghijklmnopqr > >>> 0x02c0: 7374 7576 7761 6263 6465 6667 6869 6a6b > >>> stuvwabcdefghijk > >>> 0x02d0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >>> lmnopqrstuvwabcd > >>> 0x02e0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >>> efghijklmnopqrst > >>> 0x02f0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >>> uvwabcdefghijklm > >>> 0x0300: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >>> nopqrstuvwabcdef > >>> 0x0310: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >>> ghijklmnopqrstuv > >>> 0x0320: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >>> wabcdefghijklmno > >>> 0x0330: 7071 7273 7475 7677 6162 6364 6566 6768 > >>> pqrstuvwabcdefgh > >>> 0x0340: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >>> ijklmnopqrstuvwa > >>> 0x0350: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >>> bcdefghijklmnopq > >>> 0x0360: 7273 7475 7677 6162 6364 6566 6768 696a > >>> rstuvwabcdefghij > >>> 0x0370: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >>> klmnopqrstuvwabc > >>> 0x0380: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >>> defghijklmnopqrs > >>> 0x0390: 7475 7677 6162 6364 6566 6768 696a 6b6c > >>> tuvwabcdefghijkl > >>> 0x03a0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >>> mnopqrstuvwabcde > >>> 0x03b0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >>> fghijklmnopqrstu > >>> 0x03c0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >>> vwabcdefghijklmn > >>> 0x03d0: 6f70 7172 7374 7576 7761 6263 6465 6667 > >>> opqrstuvwabcdefg > >>> 0x03e0: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >>> hijklmnopqrstuvw > >>> 0x03f0: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >>> abcdefghijklmnop > >>> 0x0400: 7172 7374 7576 7761 6263 6465 6667 6869 > >>> qrstuvwabcdefghi > >>> 0x0410: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >>> jklmnopqrstuvwab > >>> 0x0420: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >>> cdefghijklmnopqr > >>> 0x0430: 7374 7576 7761 6263 6465 6667 6869 6a6b > >>> stuvwabcdefghijk > >>> 0x0440: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >>> lmnopqrstuvwabcd > >>> 0x0450: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >>> efghijklmnopqrst > >>> 0x0460: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >>> uvwabcdefghijklm > >>> 0x0470: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >>> nopqrstuvwabcdef > >>> 0x0480: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >>> ghijklmnopqrstuv > >>> 0x0490: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >>> wabcdefghijklmno > >>> 0x04a0: 7071 7273 7475 7677 6162 6364 6566 6768 > >>> pqrstuvwabcdefgh > >>> 0x04b0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >>> ijklmnopqrstuvwa > >>> 0x04c0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >>> bcdefghijklmnopq > >>> 0x04d0: 7273 7475 7677 6162 6364 6566 6768 696a > >>> rstuvwabcdefghij > >>> 0x04e0: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >>> klmnopqrstuvwabc > >>> 0x04f0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >>> defghijklmnopqrs > >>> 0x0500: 7475 7677 6162 6364 6566 6768 696a 6b6c > >>> tuvwabcdefghijkl > >>> 0x0510: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >>> mnopqrstuvwabcde > >>> 0x0520: 6667 fg > >>> 10:02:00.748782 IP 10.0.14.116 > 10.2.1.116: icmp > >>> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 > >>> ....Nt...+....E. > >>> 0x0010: 00f8 66ea 00a0 7f01 af91 0a00 0e74 0a02 > >>> ..f..........t.. > >>> 0x0020: 0174 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >>> .thijklmnopqrstu > >>> 0x0030: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >>> vwabcdefghijklmn > >>> 0x0040: 6f70 7172 7374 7576 7761 6263 6465 6667 > >>> opqrstuvwabcdefg > >>> 0x0050: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >>> hijklmnopqrstuvw > >>> 0x0060: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >>> abcdefghijklmnop > >>> 0x0070: 7172 7374 7576 7761 6263 6465 6667 6869 > >>> qrstuvwabcdefghi > >>> 0x0080: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >>> jklmnopqrstuvwab > >>> 0x0090: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >>> cdefghijklmnopqr > >>> 0x00a0: 7374 7576 7761 6263 6465 6667 6869 6a6b > >>> stuvwabcdefghijk > >>> 0x00b0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >>> lmnopqrstuvwabcd > >>> 0x00c0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >>> efghijklmnopqrst > >>> 0x00d0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >>> uvwabcdefghijklm > >>> 0x00e0: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >>> nopqrstuvwabcdef > >>> 0x00f0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >>> ghijklmnopqrstuv > >>> 0x0100: 7761 6263 6465 wabcde > >>> > >>> Any help on this subject would be appreciated. > >>> > >>> Regards, > >>> -- > >>> Federico Petronio > >>> pe...@ac... > >>> Linux User #129974 > >>> > >>> > >>> > >>> > ------------------------------------------------------------------------- > >>> Using Tomcat but need to do more? Need to support web services, > security? > >>> Get stuff done quickly with pre-integrated technology to make your job > >>> easier > >>> Download IBM WebSphere Application Server v.1.0.1 based on Apache > >>> Geronimo > >>> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > >>> _______________________________________________ > >>> Snort-inline-users mailing list > >>> Sno...@li... > >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >>> > >> +---------------------------------------------------------------------+ > >> joel esler senior security consultant 1-706-627-2101 > >> Sourcefire Security for the /Real/ World -- > http://www.sourcefire.com > >> Snort - Open Source Network IPS/IDS -- http://www.snort.org > >> gpg key: http://demo.sourcefire.com/jesler.pgp.key > >> aim:eslerjoel ymsg:eslerjoel gtalk:eslerj > >> +---------------------------------------------------------------------+ > >> > >> > >> > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Jason <sec...@br...> - 2006-09-19 01:18:10
|
In the case of all IP it would be more efficient to handle those systems at the iptables level and never send that traffic to the queue for inspection. Federico Petronio wrote: > Actually we use theses rules because we need not only ICMP but all IP to > pass for some IP addresses. Do you think that that could be related in > any way to the problem with big payload ICMP packets? > > Regards, > > Joel Esler wrote: >> Try writing a pass rule that specifies "icmp" instead of "ip". >> >> Joel >> >> On Sep 18, 2006, at 9:44 AM, Federico Petronio wrote: >> >>> Hello, >>> >>> I write you to ask about something we found in “snort-inline”. I have a >>> couple of snort-inline IDS/IPS working and found that when sending ICMP >>> packets with payload bigger or equal to 1273 they do no pass thought the >>> appliance, but no event is generated either. With smaller packets the >>> problem disappears. I also found that if the box is leave in bridge only >>> mode (that is without snort running) the problem also disappears. I >>> included special pass rules to be sure that the packets to/from the IPs >>> where we are testing this are not dropped by other rules. >>> >>> The installation consists of a box with Linux 2.6.8-2-k7 with EBTABLES >>> support. Snort-Inline is version 2.3.0 (Build 10). This is the most >>> important part of the configuration: >>> >>> var EXTERNAL_NET any >>> var EXCLUDEDSRCIPS [10.2.1.116] >>> preprocessor flow: stats_interval 0 hash 2 >>> preprocessor rpc_decode: 111 32771 >>> preprocessor telnet_decode >>> preprocessor perfmonitor: time 60 pktcnt 1 flow events >>> >>> config order: activation dynamic pass drop sdrop reject alert log >>> >>> pass ip $EXCLUDEDSRCIPS any -> $EXTERNAL_NET any ( sid: 3000204; rev: >>> 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: >>> not-suspicious;) >>> pass ip $EXTERNAL_NET any -> $EXCLUDEDSRCIPS any ( sid: 3000205; >>> rev: 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: >>> not-suspicious;) >>> >>> This is the output of "tcpdump -x -X -s0 -i eth2 icmp and host >>> 10.0.14.116" when sniffing one of the interfaces of the brigde (in the >>> other I see no related traffic): >>> >>> 10:02:00.748763 IP 10.0.14.116 > 10.2.1.116: icmp 1280: echo request >>> seq 3332 >>> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 >>> ....Nt...+....E. >>> 0x0010: 0514 66ea 2000 7f01 8c15 0a00 0e74 0a02 >>> ..f..........t.. >>> 0x0020: 0174 0800 5571 0200 0d04 6162 6364 6566 >>> .t..Uq....abcdef >>> 0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >>> ghijklmnopqrstuv >>> 0x0040: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f >>> wabcdefghijklmno >>> 0x0050: 7071 7273 7475 7677 6162 6364 6566 6768 >>> pqrstuvwabcdefgh >>> 0x0060: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 >>> ijklmnopqrstuvwa >>> 0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 >>> bcdefghijklmnopq >>> 0x0080: 7273 7475 7677 6162 6364 6566 6768 696a >>> rstuvwabcdefghij >>> 0x0090: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 >>> klmnopqrstuvwabc >>> 0x00a0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 >>> defghijklmnopqrs >>> 0x00b0: 7475 7677 6162 6364 6566 6768 696a 6b6c >>> tuvwabcdefghijkl >>> 0x00c0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 >>> mnopqrstuvwabcde >>> 0x00d0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 >>> fghijklmnopqrstu >>> 0x00e0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e >>> vwabcdefghijklmn >>> 0x00f0: 6f70 7172 7374 7576 7761 6263 6465 6667 >>> opqrstuvwabcdefg >>> 0x0100: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 >>> hijklmnopqrstuvw >>> 0x0110: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 >>> abcdefghijklmnop >>> 0x0120: 7172 7374 7576 7761 6263 6465 6667 6869 >>> qrstuvwabcdefghi >>> 0x0130: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 >>> jklmnopqrstuvwab >>> 0x0140: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 >>> cdefghijklmnopqr >>> 0x0150: 7374 7576 7761 6263 6465 6667 6869 6a6b >>> stuvwabcdefghijk >>> 0x0160: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 >>> lmnopqrstuvwabcd >>> 0x0170: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 >>> efghijklmnopqrst >>> 0x0180: 7576 7761 6263 6465 6667 6869 6a6b 6c6d >>> uvwabcdefghijklm >>> 0x0190: 6e6f 7071 7273 7475 7677 6162 6364 6566 >>> nopqrstuvwabcdef >>> 0x01a0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >>> ghijklmnopqrstuv >>> 0x01b0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f >>> wabcdefghijklmno >>> 0x01c0: 7071 7273 7475 7677 6162 6364 6566 6768 >>> pqrstuvwabcdefgh >>> 0x01d0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 >>> ijklmnopqrstuvwa >>> 0x01e0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 >>> bcdefghijklmnopq >>> 0x01f0: 7273 7475 7677 6162 6364 6566 6768 696a >>> rstuvwabcdefghij >>> 0x0200: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 >>> klmnopqrstuvwabc >>> 0x0210: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 >>> defghijklmnopqrs >>> 0x0220: 7475 7677 6162 6364 6566 6768 696a 6b6c >>> tuvwabcdefghijkl >>> 0x0230: 6d6e 6f70 7172 7374 7576 7761 6263 6465 >>> mnopqrstuvwabcde >>> 0x0240: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 >>> fghijklmnopqrstu >>> 0x0250: 7677 6162 6364 6566 6768 696a 6b6c 6d6e >>> vwabcdefghijklmn >>> 0x0260: 6f70 7172 7374 7576 7761 6263 6465 6667 >>> opqrstuvwabcdefg >>> 0x0270: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 >>> hijklmnopqrstuvw >>> 0x0280: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 >>> abcdefghijklmnop >>> 0x0290: 7172 7374 7576 7761 6263 6465 6667 6869 >>> qrstuvwabcdefghi >>> 0x02a0: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 >>> jklmnopqrstuvwab >>> 0x02b0: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 >>> cdefghijklmnopqr >>> 0x02c0: 7374 7576 7761 6263 6465 6667 6869 6a6b >>> stuvwabcdefghijk >>> 0x02d0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 >>> lmnopqrstuvwabcd >>> 0x02e0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 >>> efghijklmnopqrst >>> 0x02f0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d >>> uvwabcdefghijklm >>> 0x0300: 6e6f 7071 7273 7475 7677 6162 6364 6566 >>> nopqrstuvwabcdef >>> 0x0310: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >>> ghijklmnopqrstuv >>> 0x0320: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f >>> wabcdefghijklmno >>> 0x0330: 7071 7273 7475 7677 6162 6364 6566 6768 >>> pqrstuvwabcdefgh >>> 0x0340: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 >>> ijklmnopqrstuvwa >>> 0x0350: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 >>> bcdefghijklmnopq >>> 0x0360: 7273 7475 7677 6162 6364 6566 6768 696a >>> rstuvwabcdefghij >>> 0x0370: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 >>> klmnopqrstuvwabc >>> 0x0380: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 >>> defghijklmnopqrs >>> 0x0390: 7475 7677 6162 6364 6566 6768 696a 6b6c >>> tuvwabcdefghijkl >>> 0x03a0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 >>> mnopqrstuvwabcde >>> 0x03b0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 >>> fghijklmnopqrstu >>> 0x03c0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e >>> vwabcdefghijklmn >>> 0x03d0: 6f70 7172 7374 7576 7761 6263 6465 6667 >>> opqrstuvwabcdefg >>> 0x03e0: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 >>> hijklmnopqrstuvw >>> 0x03f0: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 >>> abcdefghijklmnop >>> 0x0400: 7172 7374 7576 7761 6263 6465 6667 6869 >>> qrstuvwabcdefghi >>> 0x0410: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 >>> jklmnopqrstuvwab >>> 0x0420: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 >>> cdefghijklmnopqr >>> 0x0430: 7374 7576 7761 6263 6465 6667 6869 6a6b >>> stuvwabcdefghijk >>> 0x0440: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 >>> lmnopqrstuvwabcd >>> 0x0450: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 >>> efghijklmnopqrst >>> 0x0460: 7576 7761 6263 6465 6667 6869 6a6b 6c6d >>> uvwabcdefghijklm >>> 0x0470: 6e6f 7071 7273 7475 7677 6162 6364 6566 >>> nopqrstuvwabcdef >>> 0x0480: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >>> ghijklmnopqrstuv >>> 0x0490: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f >>> wabcdefghijklmno >>> 0x04a0: 7071 7273 7475 7677 6162 6364 6566 6768 >>> pqrstuvwabcdefgh >>> 0x04b0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 >>> ijklmnopqrstuvwa >>> 0x04c0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 >>> bcdefghijklmnopq >>> 0x04d0: 7273 7475 7677 6162 6364 6566 6768 696a >>> rstuvwabcdefghij >>> 0x04e0: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 >>> klmnopqrstuvwabc >>> 0x04f0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 >>> defghijklmnopqrs >>> 0x0500: 7475 7677 6162 6364 6566 6768 696a 6b6c >>> tuvwabcdefghijkl >>> 0x0510: 6d6e 6f70 7172 7374 7576 7761 6263 6465 >>> mnopqrstuvwabcde >>> 0x0520: 6667 fg >>> 10:02:00.748782 IP 10.0.14.116 > 10.2.1.116: icmp >>> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 >>> ....Nt...+....E. >>> 0x0010: 00f8 66ea 00a0 7f01 af91 0a00 0e74 0a02 >>> ..f..........t.. >>> 0x0020: 0174 6869 6a6b 6c6d 6e6f 7071 7273 7475 >>> .thijklmnopqrstu >>> 0x0030: 7677 6162 6364 6566 6768 696a 6b6c 6d6e >>> vwabcdefghijklmn >>> 0x0040: 6f70 7172 7374 7576 7761 6263 6465 6667 >>> opqrstuvwabcdefg >>> 0x0050: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 >>> hijklmnopqrstuvw >>> 0x0060: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 >>> abcdefghijklmnop >>> 0x0070: 7172 7374 7576 7761 6263 6465 6667 6869 >>> qrstuvwabcdefghi >>> 0x0080: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 >>> jklmnopqrstuvwab >>> 0x0090: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 >>> cdefghijklmnopqr >>> 0x00a0: 7374 7576 7761 6263 6465 6667 6869 6a6b >>> stuvwabcdefghijk >>> 0x00b0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 >>> lmnopqrstuvwabcd >>> 0x00c0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 >>> efghijklmnopqrst >>> 0x00d0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d >>> uvwabcdefghijklm >>> 0x00e0: 6e6f 7071 7273 7475 7677 6162 6364 6566 >>> nopqrstuvwabcdef >>> 0x00f0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 >>> ghijklmnopqrstuv >>> 0x0100: 7761 6263 6465 wabcde >>> >>> Any help on this subject would be appreciated. >>> >>> Regards, >>> -- >>> Federico Petronio >>> pe...@ac... >>> Linux User #129974 >>> >>> >>> >>> ------------------------------------------------------------------------- >>> Using Tomcat but need to do more? Need to support web services, security? >>> Get stuff done quickly with pre-integrated technology to make your job >>> easier >>> Download IBM WebSphere Application Server v.1.0.1 based on Apache >>> Geronimo >>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >>> _______________________________________________ >>> Snort-inline-users mailing list >>> Sno...@li... >>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >>> >> +---------------------------------------------------------------------+ >> joel esler senior security consultant 1-706-627-2101 >> Sourcefire Security for the /Real/ World -- http://www.sourcefire.com >> Snort - Open Source Network IPS/IDS -- http://www.snort.org >> gpg key: http://demo.sourcefire.com/jesler.pgp.key >> aim:eslerjoel ymsg:eslerjoel gtalk:eslerj >> +---------------------------------------------------------------------+ >> >> >> > |
|
From: Will M. <wil...@gm...> - 2006-09-18 22:50:53
|
something is screwed with the checksum calculations for large ICMP packets, think it has to do with compiler optimizations. set config checksum_mode: none in your snort_inline.conf, should fix your problem..... Regards, Will On 9/18/06, Federico Petronio <pe...@ac...> wrote: > > Actually we use theses rules because we need not only ICMP but all IP to > pass for some IP addresses. Do you think that that could be related in > any way to the problem with big payload ICMP packets? > > Regards, > > Joel Esler wrote: > > Try writing a pass rule that specifies "icmp" instead of "ip". > > > > Joel > > > > On Sep 18, 2006, at 9:44 AM, Federico Petronio wrote: > > > >> Hello, > >> > >> I write you to ask about something we found in "snort-inline". I have a > >> couple of snort-inline IDS/IPS working and found that when sending ICMP > >> packets with payload bigger or equal to 1273 they do no pass thought > the > >> appliance, but no event is generated either. With smaller packets the > >> problem disappears. I also found that if the box is leave in bridge > only > >> mode (that is without snort running) the problem also disappears. I > >> included special pass rules to be sure that the packets to/from the IPs > >> where we are testing this are not dropped by other rules. > >> > >> The installation consists of a box with Linux 2.6.8-2-k7 with EBTABLES > >> support. Snort-Inline is version 2.3.0 (Build 10). This is the most > >> important part of the configuration: > >> > >> var EXTERNAL_NET any > >> var EXCLUDEDSRCIPS [10.2.1.116] > >> preprocessor flow: stats_interval 0 hash 2 > >> preprocessor rpc_decode: 111 32771 > >> preprocessor telnet_decode > >> preprocessor perfmonitor: time 60 pktcnt 1 flow events > >> > >> config order: activation dynamic pass drop sdrop reject alert log > >> > >> pass ip $EXCLUDEDSRCIPS any -> $EXTERNAL_NET any ( sid: 3000204; rev: > >> 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: > >> not-suspicious;) > >> pass ip $EXTERNAL_NET any -> $EXCLUDEDSRCIPS any ( sid: 3000205; > >> rev: 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: > >> not-suspicious;) > >> > >> This is the output of "tcpdump -x -X -s0 -i eth2 icmp and host > >> 10.0.14.116" when sniffing one of the interfaces of the brigde (in the > >> other I see no related traffic): > >> > >> 10:02:00.748763 IP 10.0.14.116 > 10.2.1.116: icmp 1280: echo request > >> seq 3332 > >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 > >> ....Nt...+....E. > >> 0x0010: 0514 66ea 2000 7f01 8c15 0a00 0e74 0a02 > >> ..f..........t.. > >> 0x0020: 0174 0800 5571 0200 0d04 6162 6364 6566 > >> .t..Uq....abcdef > >> 0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x0040: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> wabcdefghijklmno > >> 0x0050: 7071 7273 7475 7677 6162 6364 6566 6768 > >> pqrstuvwabcdefgh > >> 0x0060: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> ijklmnopqrstuvwa > >> 0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> bcdefghijklmnopq > >> 0x0080: 7273 7475 7677 6162 6364 6566 6768 696a > >> rstuvwabcdefghij > >> 0x0090: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> klmnopqrstuvwabc > >> 0x00a0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> defghijklmnopqrs > >> 0x00b0: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> tuvwabcdefghijkl > >> 0x00c0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> mnopqrstuvwabcde > >> 0x00d0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> fghijklmnopqrstu > >> 0x00e0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> vwabcdefghijklmn > >> 0x00f0: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> opqrstuvwabcdefg > >> 0x0100: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> hijklmnopqrstuvw > >> 0x0110: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> abcdefghijklmnop > >> 0x0120: 7172 7374 7576 7761 6263 6465 6667 6869 > >> qrstuvwabcdefghi > >> 0x0130: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> jklmnopqrstuvwab > >> 0x0140: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> cdefghijklmnopqr > >> 0x0150: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> stuvwabcdefghijk > >> 0x0160: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> lmnopqrstuvwabcd > >> 0x0170: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> efghijklmnopqrst > >> 0x0180: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> uvwabcdefghijklm > >> 0x0190: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> nopqrstuvwabcdef > >> 0x01a0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x01b0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> wabcdefghijklmno > >> 0x01c0: 7071 7273 7475 7677 6162 6364 6566 6768 > >> pqrstuvwabcdefgh > >> 0x01d0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> ijklmnopqrstuvwa > >> 0x01e0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> bcdefghijklmnopq > >> 0x01f0: 7273 7475 7677 6162 6364 6566 6768 696a > >> rstuvwabcdefghij > >> 0x0200: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> klmnopqrstuvwabc > >> 0x0210: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> defghijklmnopqrs > >> 0x0220: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> tuvwabcdefghijkl > >> 0x0230: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> mnopqrstuvwabcde > >> 0x0240: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> fghijklmnopqrstu > >> 0x0250: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> vwabcdefghijklmn > >> 0x0260: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> opqrstuvwabcdefg > >> 0x0270: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> hijklmnopqrstuvw > >> 0x0280: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> abcdefghijklmnop > >> 0x0290: 7172 7374 7576 7761 6263 6465 6667 6869 > >> qrstuvwabcdefghi > >> 0x02a0: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> jklmnopqrstuvwab > >> 0x02b0: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> cdefghijklmnopqr > >> 0x02c0: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> stuvwabcdefghijk > >> 0x02d0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> lmnopqrstuvwabcd > >> 0x02e0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> efghijklmnopqrst > >> 0x02f0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> uvwabcdefghijklm > >> 0x0300: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> nopqrstuvwabcdef > >> 0x0310: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x0320: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> wabcdefghijklmno > >> 0x0330: 7071 7273 7475 7677 6162 6364 6566 6768 > >> pqrstuvwabcdefgh > >> 0x0340: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> ijklmnopqrstuvwa > >> 0x0350: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> bcdefghijklmnopq > >> 0x0360: 7273 7475 7677 6162 6364 6566 6768 696a > >> rstuvwabcdefghij > >> 0x0370: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> klmnopqrstuvwabc > >> 0x0380: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> defghijklmnopqrs > >> 0x0390: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> tuvwabcdefghijkl > >> 0x03a0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> mnopqrstuvwabcde > >> 0x03b0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> fghijklmnopqrstu > >> 0x03c0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> vwabcdefghijklmn > >> 0x03d0: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> opqrstuvwabcdefg > >> 0x03e0: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> hijklmnopqrstuvw > >> 0x03f0: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> abcdefghijklmnop > >> 0x0400: 7172 7374 7576 7761 6263 6465 6667 6869 > >> qrstuvwabcdefghi > >> 0x0410: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> jklmnopqrstuvwab > >> 0x0420: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> cdefghijklmnopqr > >> 0x0430: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> stuvwabcdefghijk > >> 0x0440: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> lmnopqrstuvwabcd > >> 0x0450: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> efghijklmnopqrst > >> 0x0460: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> uvwabcdefghijklm > >> 0x0470: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> nopqrstuvwabcdef > >> 0x0480: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x0490: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f > >> wabcdefghijklmno > >> 0x04a0: 7071 7273 7475 7677 6162 6364 6566 6768 > >> pqrstuvwabcdefgh > >> 0x04b0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 > >> ijklmnopqrstuvwa > >> 0x04c0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 > >> bcdefghijklmnopq > >> 0x04d0: 7273 7475 7677 6162 6364 6566 6768 696a > >> rstuvwabcdefghij > >> 0x04e0: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 > >> klmnopqrstuvwabc > >> 0x04f0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 > >> defghijklmnopqrs > >> 0x0500: 7475 7677 6162 6364 6566 6768 696a 6b6c > >> tuvwabcdefghijkl > >> 0x0510: 6d6e 6f70 7172 7374 7576 7761 6263 6465 > >> mnopqrstuvwabcde > >> 0x0520: 6667 fg > >> 10:02:00.748782 IP 10.0.14.116 > 10.2.1.116: icmp > >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 > >> ....Nt...+....E. > >> 0x0010: 00f8 66ea 00a0 7f01 af91 0a00 0e74 0a02 > >> ..f..........t.. > >> 0x0020: 0174 6869 6a6b 6c6d 6e6f 7071 7273 7475 > >> .thijklmnopqrstu > >> 0x0030: 7677 6162 6364 6566 6768 696a 6b6c 6d6e > >> vwabcdefghijklmn > >> 0x0040: 6f70 7172 7374 7576 7761 6263 6465 6667 > >> opqrstuvwabcdefg > >> 0x0050: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 > >> hijklmnopqrstuvw > >> 0x0060: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 > >> abcdefghijklmnop > >> 0x0070: 7172 7374 7576 7761 6263 6465 6667 6869 > >> qrstuvwabcdefghi > >> 0x0080: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 > >> jklmnopqrstuvwab > >> 0x0090: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 > >> cdefghijklmnopqr > >> 0x00a0: 7374 7576 7761 6263 6465 6667 6869 6a6b > >> stuvwabcdefghijk > >> 0x00b0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 > >> lmnopqrstuvwabcd > >> 0x00c0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 > >> efghijklmnopqrst > >> 0x00d0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d > >> uvwabcdefghijklm > >> 0x00e0: 6e6f 7071 7273 7475 7677 6162 6364 6566 > >> nopqrstuvwabcdef > >> 0x00f0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 > >> ghijklmnopqrstuv > >> 0x0100: 7761 6263 6465 wabcde > >> > >> Any help on this subject would be appreciated. > >> > >> Regards, > >> -- > >> Federico Petronio > >> pe...@ac... > >> Linux User #129974 > >> > >> > >> > >> > ------------------------------------------------------------------------- > >> Using Tomcat but need to do more? Need to support web services, > security? > >> Get stuff done quickly with pre-integrated technology to make your job > >> easier > >> Download IBM WebSphere Application Server v.1.0.1 based on Apache > >> Geronimo > >> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > >> _______________________________________________ > >> Snort-inline-users mailing list > >> Sno...@li... > >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > > > > +---------------------------------------------------------------------+ > > joel esler senior security consultant 1-706-627-2101 > > Sourcefire Security for the /Real/ World -- http://www.sourcefire.com > > Snort - Open Source Network IPS/IDS -- http://www.snort.org > > gpg key: http://demo.sourcefire.com/jesler.pgp.key > > aim:eslerjoel ymsg:eslerjoel gtalk:eslerj > > +---------------------------------------------------------------------+ > > > > > > > > -- > Federico Petronio > pe...@ac... > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Federico P. <pe...@ac...> - 2006-09-18 18:29:07
|
Actually we use theses rules because we need not only ICMP but all IP to pass for some IP addresses. Do you think that that could be related in any way to the problem with big payload ICMP packets? Regards, Joel Esler wrote: > Try writing a pass rule that specifies "icmp" instead of "ip". >=20 > Joel >=20 > On Sep 18, 2006, at 9:44 AM, Federico Petronio wrote: >=20 >> Hello, >> >> I write you to ask about something we found in =93snort-inline=94. I h= ave a >> couple of snort-inline IDS/IPS working and found that when sending ICM= P >> packets with payload bigger or equal to 1273 they do no pass thought t= he >> appliance, but no event is generated either. With smaller packets the >> problem disappears. I also found that if the box is leave in bridge on= ly >> mode (that is without snort running) the problem also disappears. I >> included special pass rules to be sure that the packets to/from the IP= s >> where we are testing this are not dropped by other rules. >> >> The installation consists of a box with Linux 2.6.8-2-k7 with EBTABLES >> support. Snort-Inline is version 2.3.0 (Build 10). This is the most >> important part of the configuration: >> >> var EXTERNAL_NET any >> var EXCLUDEDSRCIPS [10.2.1.116] >> preprocessor flow: stats_interval 0 hash 2 >> preprocessor rpc_decode: 111 32771 >> preprocessor telnet_decode >> preprocessor perfmonitor: time 60 pktcnt 1 flow events >> >> config order: activation dynamic pass drop sdrop reject alert log >> >> pass ip $EXCLUDEDSRCIPS any -> $EXTERNAL_NET any ( sid: 3000204; rev: >> 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: >> not-suspicious;) >> pass ip $EXTERNAL_NET any -> $EXCLUDEDSRCIPS any ( sid: 3000205; >> rev: 1; msg: "PASS IP Packet from/to excluded IPs"; classtype: >> not-suspicious;) >> >> This is the output of "tcpdump -x -X -s0 -i eth2 icmp and host >> 10.0.14.116" when sniffing one of the interfaces of the brigde (in the >> other I see no related traffic): >> >> 10:02:00.748763 IP 10.0.14.116 > 10.2.1.116: icmp 1280: echo request >> seq 3332 >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500=20 >> ....Nt...+....E. >> 0x0010: 0514 66ea 2000 7f01 8c15 0a00 0e74 0a02=20 >> ..f..........t.. >> 0x0020: 0174 0800 5571 0200 0d04 6162 6364 6566=20 >> .t..Uq....abcdef >> 0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576=20 >> ghijklmnopqrstuv >> 0x0040: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f=20 >> wabcdefghijklmno >> 0x0050: 7071 7273 7475 7677 6162 6364 6566 6768=20 >> pqrstuvwabcdefgh >> 0x0060: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761=20 >> ijklmnopqrstuvwa >> 0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071=20 >> bcdefghijklmnopq >> 0x0080: 7273 7475 7677 6162 6364 6566 6768 696a=20 >> rstuvwabcdefghij >> 0x0090: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263=20 >> klmnopqrstuvwabc >> 0x00a0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273=20 >> defghijklmnopqrs >> 0x00b0: 7475 7677 6162 6364 6566 6768 696a 6b6c=20 >> tuvwabcdefghijkl >> 0x00c0: 6d6e 6f70 7172 7374 7576 7761 6263 6465=20 >> mnopqrstuvwabcde >> 0x00d0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475=20 >> fghijklmnopqrstu >> 0x00e0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e=20 >> vwabcdefghijklmn >> 0x00f0: 6f70 7172 7374 7576 7761 6263 6465 6667=20 >> opqrstuvwabcdefg >> 0x0100: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677=20 >> hijklmnopqrstuvw >> 0x0110: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70=20 >> abcdefghijklmnop >> 0x0120: 7172 7374 7576 7761 6263 6465 6667 6869=20 >> qrstuvwabcdefghi >> 0x0130: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162=20 >> jklmnopqrstuvwab >> 0x0140: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172=20 >> cdefghijklmnopqr >> 0x0150: 7374 7576 7761 6263 6465 6667 6869 6a6b=20 >> stuvwabcdefghijk >> 0x0160: 6c6d 6e6f 7071 7273 7475 7677 6162 6364=20 >> lmnopqrstuvwabcd >> 0x0170: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374=20 >> efghijklmnopqrst >> 0x0180: 7576 7761 6263 6465 6667 6869 6a6b 6c6d=20 >> uvwabcdefghijklm >> 0x0190: 6e6f 7071 7273 7475 7677 6162 6364 6566=20 >> nopqrstuvwabcdef >> 0x01a0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576=20 >> ghijklmnopqrstuv >> 0x01b0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f=20 >> wabcdefghijklmno >> 0x01c0: 7071 7273 7475 7677 6162 6364 6566 6768=20 >> pqrstuvwabcdefgh >> 0x01d0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761=20 >> ijklmnopqrstuvwa >> 0x01e0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071=20 >> bcdefghijklmnopq >> 0x01f0: 7273 7475 7677 6162 6364 6566 6768 696a=20 >> rstuvwabcdefghij >> 0x0200: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263=20 >> klmnopqrstuvwabc >> 0x0210: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273=20 >> defghijklmnopqrs >> 0x0220: 7475 7677 6162 6364 6566 6768 696a 6b6c=20 >> tuvwabcdefghijkl >> 0x0230: 6d6e 6f70 7172 7374 7576 7761 6263 6465=20 >> mnopqrstuvwabcde >> 0x0240: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475=20 >> fghijklmnopqrstu >> 0x0250: 7677 6162 6364 6566 6768 696a 6b6c 6d6e=20 >> vwabcdefghijklmn >> 0x0260: 6f70 7172 7374 7576 7761 6263 6465 6667=20 >> opqrstuvwabcdefg >> 0x0270: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677=20 >> hijklmnopqrstuvw >> 0x0280: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70=20 >> abcdefghijklmnop >> 0x0290: 7172 7374 7576 7761 6263 6465 6667 6869=20 >> qrstuvwabcdefghi >> 0x02a0: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162=20 >> jklmnopqrstuvwab >> 0x02b0: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172=20 >> cdefghijklmnopqr >> 0x02c0: 7374 7576 7761 6263 6465 6667 6869 6a6b=20 >> stuvwabcdefghijk >> 0x02d0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364=20 >> lmnopqrstuvwabcd >> 0x02e0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374=20 >> efghijklmnopqrst >> 0x02f0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d=20 >> uvwabcdefghijklm >> 0x0300: 6e6f 7071 7273 7475 7677 6162 6364 6566=20 >> nopqrstuvwabcdef >> 0x0310: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576=20 >> ghijklmnopqrstuv >> 0x0320: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f=20 >> wabcdefghijklmno >> 0x0330: 7071 7273 7475 7677 6162 6364 6566 6768=20 >> pqrstuvwabcdefgh >> 0x0340: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761=20 >> ijklmnopqrstuvwa >> 0x0350: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071=20 >> bcdefghijklmnopq >> 0x0360: 7273 7475 7677 6162 6364 6566 6768 696a=20 >> rstuvwabcdefghij >> 0x0370: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263=20 >> klmnopqrstuvwabc >> 0x0380: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273=20 >> defghijklmnopqrs >> 0x0390: 7475 7677 6162 6364 6566 6768 696a 6b6c=20 >> tuvwabcdefghijkl >> 0x03a0: 6d6e 6f70 7172 7374 7576 7761 6263 6465=20 >> mnopqrstuvwabcde >> 0x03b0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475=20 >> fghijklmnopqrstu >> 0x03c0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e=20 >> vwabcdefghijklmn >> 0x03d0: 6f70 7172 7374 7576 7761 6263 6465 6667=20 >> opqrstuvwabcdefg >> 0x03e0: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677=20 >> hijklmnopqrstuvw >> 0x03f0: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70=20 >> abcdefghijklmnop >> 0x0400: 7172 7374 7576 7761 6263 6465 6667 6869=20 >> qrstuvwabcdefghi >> 0x0410: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162=20 >> jklmnopqrstuvwab >> 0x0420: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172=20 >> cdefghijklmnopqr >> 0x0430: 7374 7576 7761 6263 6465 6667 6869 6a6b=20 >> stuvwabcdefghijk >> 0x0440: 6c6d 6e6f 7071 7273 7475 7677 6162 6364=20 >> lmnopqrstuvwabcd >> 0x0450: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374=20 >> efghijklmnopqrst >> 0x0460: 7576 7761 6263 6465 6667 6869 6a6b 6c6d=20 >> uvwabcdefghijklm >> 0x0470: 6e6f 7071 7273 7475 7677 6162 6364 6566=20 >> nopqrstuvwabcdef >> 0x0480: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576=20 >> ghijklmnopqrstuv >> 0x0490: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f=20 >> wabcdefghijklmno >> 0x04a0: 7071 7273 7475 7677 6162 6364 6566 6768=20 >> pqrstuvwabcdefgh >> 0x04b0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761=20 >> ijklmnopqrstuvwa >> 0x04c0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071=20 >> bcdefghijklmnopq >> 0x04d0: 7273 7475 7677 6162 6364 6566 6768 696a=20 >> rstuvwabcdefghij >> 0x04e0: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263=20 >> klmnopqrstuvwabc >> 0x04f0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273=20 >> defghijklmnopqrs >> 0x0500: 7475 7677 6162 6364 6566 6768 696a 6b6c=20 >> tuvwabcdefghijkl >> 0x0510: 6d6e 6f70 7172 7374 7576 7761 6263 6465=20 >> mnopqrstuvwabcde >> 0x0520: 6667 fg >> 10:02:00.748782 IP 10.0.14.116 > 10.2.1.116: icmp >> 0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500=20 >> ....Nt...+....E. >> 0x0010: 00f8 66ea 00a0 7f01 af91 0a00 0e74 0a02=20 >> ..f..........t.. >> 0x0020: 0174 6869 6a6b 6c6d 6e6f 7071 7273 7475=20 >> .thijklmnopqrstu >> 0x0030: 7677 6162 6364 6566 6768 696a 6b6c 6d6e=20 >> vwabcdefghijklmn >> 0x0040: 6f70 7172 7374 7576 7761 6263 6465 6667=20 >> opqrstuvwabcdefg >> 0x0050: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677=20 >> hijklmnopqrstuvw >> 0x0060: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70=20 >> abcdefghijklmnop >> 0x0070: 7172 7374 7576 7761 6263 6465 6667 6869=20 >> qrstuvwabcdefghi >> 0x0080: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162=20 >> jklmnopqrstuvwab >> 0x0090: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172=20 >> cdefghijklmnopqr >> 0x00a0: 7374 7576 7761 6263 6465 6667 6869 6a6b=20 >> stuvwabcdefghijk >> 0x00b0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364=20 >> lmnopqrstuvwabcd >> 0x00c0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374=20 >> efghijklmnopqrst >> 0x00d0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d=20 >> uvwabcdefghijklm >> 0x00e0: 6e6f 7071 7273 7475 7677 6162 6364 6566=20 >> nopqrstuvwabcdef >> 0x00f0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576=20 >> ghijklmnopqrstuv >> 0x0100: 7761 6263 6465 wabcde >> >> Any help on this subject would be appreciated. >> >> Regards, >> --=20 >> Federico Petronio >> pe...@ac... >> Linux User #129974 >> >> >> >> ----------------------------------------------------------------------= --- >> Using Tomcat but need to do more? Need to support web services, securi= ty? >> Get stuff done quickly with pre-integrated technology to make your job >> easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache >> Geronimo >> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D120709&bid=3D263057&da= t=3D121642 >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >=20 > +---------------------------------------------------------------------+ > joel esler senior security consultant 1-706-627-2101 > Sourcefire Security for the /Real/ World -- http://www.sourcefire.co= m > Snort - Open Source Network IPS/IDS -- http://www.snort.org > gpg key: http://demo.sourcefire.com/jesler.pgp.key > aim:eslerjoel ymsg:eslerjoel gtalk:eslerj > +---------------------------------------------------------------------+ >=20 >=20 >=20 --=20 Federico Petronio pe...@ac... |
|
From: Federico P. <pe...@ac...> - 2006-09-18 13:45:15
|
Hello,
I write you to ask about something we found in =93snort-inline=94. I ha=
ve a
couple of snort-inline IDS/IPS working and found that when sending ICMP
packets with payload bigger or equal to 1273 they do no pass thought th=
e
appliance, but no event is generated either. With smaller packets the
problem disappears. I also found that if the box is leave in bridge onl=
y
mode (that is without snort running) the problem also disappears. I
included special pass rules to be sure that the packets to/from the IPs
where we are testing this are not dropped by other rules.
The installation consists of a box with Linux 2.6.8-2-k7 with EBTABLES
support. Snort-Inline is version 2.3.0 (Build 10). This is the most
important part of the configuration:
var EXTERNAL_NET any
var EXCLUDEDSRCIPS [10.2.1.116]
preprocessor flow: stats_interval 0 hash 2
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor perfmonitor: time 60 pktcnt 1 flow events
config order: activation dynamic pass drop sdrop reject alert log
pass ip $EXCLUDEDSRCIPS any -> $EXTERNAL_NET any ( sid: 3000204; rev: 1=
; msg: "PASS IP Packet from/to excluded IPs"; classtype: not-suspicious=
;)
pass ip $EXTERNAL_NET any -> $EXCLUDEDSRCIPS any ( sid: 3000205; rev:=
1; msg: "PASS IP Packet from/to excluded IPs"; classtype: not-suspicio=
us;)
This is the output of "tcpdump -x -X -s0 -i eth2 icmp and host 10.0.14.=
116" when sniffing one of the interfaces of the brigde (in the other I =
see no related traffic):
10:02:00.748763 IP 10.0.14.116 > 10.2.1.116: icmp 1280: echo request se=
q 3332
0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 ....Nt...+...=
=2EE.
0x0010: 0514 66ea 2000 7f01 8c15 0a00 0e74 0a02 ..f..........=
t..
0x0020: 0174 0800 5571 0200 0d04 6162 6364 6566 .t..Uq....abc=
def
0x0030: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrs=
tuv
0x0040: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f wabcdefghijkl=
mno
0x0050: 7071 7273 7475 7677 6162 6364 6566 6768 pqrstuvwabcde=
fgh
0x0060: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 ijklmnopqrstu=
vwa
0x0070: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmn=
opq
0x0080: 7273 7475 7677 6162 6364 6566 6768 696a rstuvwabcdefg=
hij
0x0090: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 klmnopqrstuvw=
abc
0x00a0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 defghijklmnop=
qrs
0x00b0: 7475 7677 6162 6364 6566 6768 696a 6b6c tuvwabcdefghi=
jkl
0x00c0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 mnopqrstuvwab=
cde
0x00d0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 fghijklmnopqr=
stu
0x00e0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e vwabcdefghijk=
lmn
0x00f0: 6f70 7172 7374 7576 7761 6263 6465 6667 opqrstuvwabcd=
efg
0x0100: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 hijklmnopqrst=
uvw
0x0110: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 abcdefghijklm=
nop
0x0120: 7172 7374 7576 7761 6263 6465 6667 6869 qrstuvwabcdef=
ghi
0x0130: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 jklmnopqrstuv=
wab
0x0140: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmno=
pqr
0x0150: 7374 7576 7761 6263 6465 6667 6869 6a6b stuvwabcdefgh=
ijk
0x0160: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 lmnopqrstuvwa=
bcd
0x0170: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopq=
rst
0x0180: 7576 7761 6263 6465 6667 6869 6a6b 6c6d uvwabcdefghij=
klm
0x0190: 6e6f 7071 7273 7475 7677 6162 6364 6566 nopqrstuvwabc=
def
0x01a0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrs=
tuv
0x01b0: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f wabcdefghijkl=
mno
0x01c0: 7071 7273 7475 7677 6162 6364 6566 6768 pqrstuvwabcde=
fgh
0x01d0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 ijklmnopqrstu=
vwa
0x01e0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmn=
opq
0x01f0: 7273 7475 7677 6162 6364 6566 6768 696a rstuvwabcdefg=
hij
0x0200: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 klmnopqrstuvw=
abc
0x0210: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 defghijklmnop=
qrs
0x0220: 7475 7677 6162 6364 6566 6768 696a 6b6c tuvwabcdefghi=
jkl
0x0230: 6d6e 6f70 7172 7374 7576 7761 6263 6465 mnopqrstuvwab=
cde
0x0240: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 fghijklmnopqr=
stu
0x0250: 7677 6162 6364 6566 6768 696a 6b6c 6d6e vwabcdefghijk=
lmn
0x0260: 6f70 7172 7374 7576 7761 6263 6465 6667 opqrstuvwabcd=
efg
0x0270: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 hijklmnopqrst=
uvw
0x0280: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 abcdefghijklm=
nop
0x0290: 7172 7374 7576 7761 6263 6465 6667 6869 qrstuvwabcdef=
ghi
0x02a0: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 jklmnopqrstuv=
wab
0x02b0: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmno=
pqr
0x02c0: 7374 7576 7761 6263 6465 6667 6869 6a6b stuvwabcdefgh=
ijk
0x02d0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 lmnopqrstuvwa=
bcd
0x02e0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopq=
rst
0x02f0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d uvwabcdefghij=
klm
0x0300: 6e6f 7071 7273 7475 7677 6162 6364 6566 nopqrstuvwabc=
def
0x0310: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrs=
tuv
0x0320: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f wabcdefghijkl=
mno
0x0330: 7071 7273 7475 7677 6162 6364 6566 6768 pqrstuvwabcde=
fgh
0x0340: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 ijklmnopqrstu=
vwa
0x0350: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmn=
opq
0x0360: 7273 7475 7677 6162 6364 6566 6768 696a rstuvwabcdefg=
hij
0x0370: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 klmnopqrstuvw=
abc
0x0380: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 defghijklmnop=
qrs
0x0390: 7475 7677 6162 6364 6566 6768 696a 6b6c tuvwabcdefghi=
jkl
0x03a0: 6d6e 6f70 7172 7374 7576 7761 6263 6465 mnopqrstuvwab=
cde
0x03b0: 6667 6869 6a6b 6c6d 6e6f 7071 7273 7475 fghijklmnopqr=
stu
0x03c0: 7677 6162 6364 6566 6768 696a 6b6c 6d6e vwabcdefghijk=
lmn
0x03d0: 6f70 7172 7374 7576 7761 6263 6465 6667 opqrstuvwabcd=
efg
0x03e0: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 hijklmnopqrst=
uvw
0x03f0: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 abcdefghijklm=
nop
0x0400: 7172 7374 7576 7761 6263 6465 6667 6869 qrstuvwabcdef=
ghi
0x0410: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 jklmnopqrstuv=
wab
0x0420: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmno=
pqr
0x0430: 7374 7576 7761 6263 6465 6667 6869 6a6b stuvwabcdefgh=
ijk
0x0440: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 lmnopqrstuvwa=
bcd
0x0450: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopq=
rst
0x0460: 7576 7761 6263 6465 6667 6869 6a6b 6c6d uvwabcdefghij=
klm
0x0470: 6e6f 7071 7273 7475 7677 6162 6364 6566 nopqrstuvwabc=
def
0x0480: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrs=
tuv
0x0490: 7761 6263 6465 6667 6869 6a6b 6c6d 6e6f wabcdefghijkl=
mno
0x04a0: 7071 7273 7475 7677 6162 6364 6566 6768 pqrstuvwabcde=
fgh
0x04b0: 696a 6b6c 6d6e 6f70 7172 7374 7576 7761 ijklmnopqrstu=
vwa
0x04c0: 6263 6465 6667 6869 6a6b 6c6d 6e6f 7071 bcdefghijklmn=
opq
0x04d0: 7273 7475 7677 6162 6364 6566 6768 696a rstuvwabcdefg=
hij
0x04e0: 6b6c 6d6e 6f70 7172 7374 7576 7761 6263 klmnopqrstuvw=
abc
0x04f0: 6465 6667 6869 6a6b 6c6d 6e6f 7071 7273 defghijklmnop=
qrs
0x0500: 7475 7677 6162 6364 6566 6768 696a 6b6c tuvwabcdefghi=
jkl
0x0510: 6d6e 6f70 7172 7374 7576 7761 6263 6465 mnopqrstuvwab=
cde
0x0520: 6667 fg
10:02:00.748782 IP 10.0.14.116 > 10.2.1.116: icmp
0x0000: 0012 daf1 4e74 0004 0d2b a40e 0800 4500 ....Nt...+...=
=2EE.
0x0010: 00f8 66ea 00a0 7f01 af91 0a00 0e74 0a02 ..f..........=
t..
0x0020: 0174 6869 6a6b 6c6d 6e6f 7071 7273 7475 .thijklmnopqr=
stu
0x0030: 7677 6162 6364 6566 6768 696a 6b6c 6d6e vwabcdefghijk=
lmn
0x0040: 6f70 7172 7374 7576 7761 6263 6465 6667 opqrstuvwabcd=
efg
0x0050: 6869 6a6b 6c6d 6e6f 7071 7273 7475 7677 hijklmnopqrst=
uvw
0x0060: 6162 6364 6566 6768 696a 6b6c 6d6e 6f70 abcdefghijklm=
nop
0x0070: 7172 7374 7576 7761 6263 6465 6667 6869 qrstuvwabcdef=
ghi
0x0080: 6a6b 6c6d 6e6f 7071 7273 7475 7677 6162 jklmnopqrstuv=
wab
0x0090: 6364 6566 6768 696a 6b6c 6d6e 6f70 7172 cdefghijklmno=
pqr
0x00a0: 7374 7576 7761 6263 6465 6667 6869 6a6b stuvwabcdefgh=
ijk
0x00b0: 6c6d 6e6f 7071 7273 7475 7677 6162 6364 lmnopqrstuvwa=
bcd
0x00c0: 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopq=
rst
0x00d0: 7576 7761 6263 6465 6667 6869 6a6b 6c6d uvwabcdefghij=
klm
0x00e0: 6e6f 7071 7273 7475 7677 6162 6364 6566 nopqrstuvwabc=
def
0x00f0: 6768 696a 6b6c 6d6e 6f70 7172 7374 7576 ghijklmnopqrs=
tuv
0x0100: 7761 6263 6465 wabcde
Any help on this subject would be appreciated.
Regards,
--=20
Federico Petronio
pe...@ac...
Linux User #129974
|
|
From: Earl <esa...@hu...> - 2006-09-16 21:12:34
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Will, I knew there was something else I needed to clarify (rule order) to make this work right.. Having cleared that up, I guess it does make more sense to deal with this at the IPTables level. Thanks, as always, for the feedback. Earl On Sat, 16 Sep 2006 12:07:59 -0400 Will Metcalf <wil...@gm...> wrote: >As long as the whitelist/blacklist rules are intialized before the >other >rulesets in your snort.conf. You probably be better off handling >this in >iptables, the less traffic you send to the QUEUE target the higher >your >throughput will be. > >Regards, > >Will > >On 9/16/06, Earl <esa...@hu...> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Snort version 2.6.0.2 --with inline. >> >> More of a rules syntax questions but I bet someone here can >help... >> >> Need to verify syntax for creating both whitelist (pass, don't >log) >> and blacklist (drop, don't log) rules. Would this be correct >for >> IP range 10.0.0.0/24: >> >> White: pass ip 10.0.0.0/24 any <> any any >> Black: drop ip 10.0.0.0/24 any <> any any >> >> Thanks. >> >> Earl >> -----BEGIN PGP SIGNATURE----- >> Note: This signature can be verified at >https://www.hushtools.com/verify >> Version: Hush 2.5 >> >> >wkYEARECAAYFAkUMJDwACgkQk7+e+4lPSm0tUQCfYkUANCdV638YagTB0VJL7xPd5uY >A >> oLc4yrDCkz1pCLVMqaR8QB/X5gBv >> =P1B8 >> -----END PGP SIGNATURE----- >> >> >> >> ----------------------------------------------------------------- >-------- >> Using Tomcat but need to do more? Need to support web services, >security? >> Get stuff done quickly with pre-integrated technology to make >your job >> easier >> Download IBM WebSphere Application Server v.1.0.1 based on >Apache Geronimo >> http://sel.as- >us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkUMbWgACgkQk7+e+4lPSm3oNgCgp5dj1edSqNIsW7amvtG4WTggUJsA nAjLCq4N3peuU3eo1cPHHAj6O63r =uryU -----END PGP SIGNATURE----- |
|
From: Will M. <wil...@gm...> - 2006-09-16 16:08:05
|
As long as the whitelist/blacklist rules are intialized before the other rulesets in your snort.conf. You probably be better off handling this in iptables, the less traffic you send to the QUEUE target the higher your throughput will be. Regards, Will On 9/16/06, Earl <esa...@hu...> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Snort version 2.6.0.2 --with inline. > > More of a rules syntax questions but I bet someone here can help... > > Need to verify syntax for creating both whitelist (pass, don't log) > and blacklist (drop, don't log) rules. Would this be correct for > IP range 10.0.0.0/24: > > White: pass ip 10.0.0.0/24 any <> any any > Black: drop ip 10.0.0.0/24 any <> any any > > Thanks. > > Earl > -----BEGIN PGP SIGNATURE----- > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 2.5 > > wkYEARECAAYFAkUMJDwACgkQk7+e+4lPSm0tUQCfYkUANCdV638YagTB0VJL7xPd5uYA > oLc4yrDCkz1pCLVMqaR8QB/X5gBv > =P1B8 > -----END PGP SIGNATURE----- > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Earl <esa...@hu...> - 2006-09-16 16:00:20
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Snort version 2.6.0.2 --with inline. More of a rules syntax questions but I bet someone here can help... Need to verify syntax for creating both whitelist (pass, don't log) and blacklist (drop, don't log) rules. Would this be correct for IP range 10.0.0.0/24: White: pass ip 10.0.0.0/24 any <> any any Black: drop ip 10.0.0.0/24 any <> any any Thanks. Earl -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wkYEARECAAYFAkUMJDwACgkQk7+e+4lPSm0tUQCfYkUANCdV638YagTB0VJL7xPd5uYA oLc4yrDCkz1pCLVMqaR8QB/X5gBv =P1B8 -----END PGP SIGNATURE----- |
|
From: Pieter V. <pie...@ab...> - 2006-09-15 14:09:15
|
Hi Joel,
The directory exists now. However it seems somepackets are still logged.
Is this option recently added? I'm using snort 2.4.4 (Build 28) i686
-----Original Message-----
From: Joel Esler [mailto:joe...@so...]
Sent: vrijdag 15 september 2006 15:06
To: Pieter Vanmeerbeek
Cc: sno...@li...
Subject: Re: [Snort-inline-users] Disable logging
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pieter,
The directory must still exist, or you'll have to point it to a
different directory with the -l tag.
Joel
Pieter Vanmeerbeek wrote:
> Doesn't seem to help :
>
>
> Snort.conf
> ....
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
> preprocessor xlink2state: ports { 25 691 }
> output log_null
> include classification.config
> include reference.config
> config checksum_mode: none
> include /ub/pkg/ips/rules/dos.rules
> include /ub/pkg/ips/rules/scan.rule
> .....
>
>
> snort -Q -s -c /ub/etc/ips/snort.conf
>
>
> gives :
>
> ...
> Drop Packets (inline only): NO
> 2833 Snort rules read...
> 2833 Option Chains linked into 212 Chain Headers
> 0 Dynamic rules
> +++++++++++++++++++++++++++++++++++++++++++++++++++
>
> ERROR:
> [!] ERROR: Can not get write access to logging directory "/var/log/snort".
> (directory doesn't exist or permissions are set incorrectly
> or it is not a directory at all)
>
> ...
>
>
>
> Kind regards,
> Pieter
>
>
>
> -----Original Message-----
> From: biotechisgodzilla.wifebeater
> [mailto:bio...@gm...]
> Sent: vrijdag 15 september 2006 18:25
> To: Pieter Vanmeerbeek
> Subject: Re: [Snort-inline-users] Disable logging
>
> hi Pieter
> try to put the directive:
> output log_null
>
> into your snort.conf file
>
> regards,
> .mike
>
>
>
> On Fri, 2006-09-15 at 10:51 +0200, Pieter Vanmeerbeek wrote:
>> Hi,
>>
>> Is it possible to disable snort logging? I only want alerts to be
> visible
>> using syslog. I'm not interested in dumps of analysed traffic.
>>
>> However if I start snort using
>>
>> snort -Q -s -c /ub/etc/ips/snort.conf
>>
>>
>>
>> snort complains about writing to /var/log/snort
>>
>>
>>
>>
>> kind regards,
>> Pieter
>>
>>
>>
>> --
>> ---------------------------------------------------
>> Able: 1996-2006: already 10 safe years in YOUR company!
>>
>> aXs GUARD has completed security and anti-virus checks on this e-mail
> (http://www.axsguard.com)
>> ---------------------------------------------------
>> Able NV: ond.nr 0457.938.087
>> RPR Mechelen
>>
>>
>>
> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services,
> security?
>> Get stuff done quickly with pre-integrated technology to make your job
> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
> --
> ---------------------------------------------------
> Able: 1996-2006: already 10 safe years in YOUR company!
>
> aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
> ---------------------------------------------------
> Able NV: ond.nr 0457.938.087
> RPR Mechelen
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
- --
+---------------------------------------------------------------------+
Joel Esler Senior Security Consultant 1-706-627-2101
Sourcefire Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
GPG Key http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFCqUpKbCSyXHckt4RAqQHAJ4zsbW57vCILb1xUWBT58gJgUqtSwCfZzah
X88RXuHEo6iUs57Q0FwbS/c=
=/W6u
-----END PGP SIGNATURE-----
--
---------------------------------------------------
Able: 1996-2006: already 10 safe years in YOUR company!
aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen
|
|
From: Pieter V. <pie...@ab...> - 2006-09-15 12:56:11
|
Doesn't seem to help :
Snort.conf
....
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
preprocessor xlink2state: ports { 25 691 }
output log_null
include classification.config
include reference.config
config checksum_mode: none
include /ub/pkg/ips/rules/dos.rules
include /ub/pkg/ips/rules/scan.rule
.....
snort -Q -s -c /ub/etc/ips/snort.conf
gives :
...
Drop Packets (inline only): NO
2833 Snort rules read...
2833 Option Chains linked into 212 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
ERROR:
[!] ERROR: Can not get write access to logging directory "/var/log/snort".
(directory doesn't exist or permissions are set incorrectly
or it is not a directory at all)
...
Kind regards,
Pieter
-----Original Message-----
From: biotechisgodzilla.wifebeater
[mailto:bio...@gm...]
Sent: vrijdag 15 september 2006 18:25
To: Pieter Vanmeerbeek
Subject: Re: [Snort-inline-users] Disable logging
hi Pieter
try to put the directive:
output log_null
into your snort.conf file
regards,
.mike
On Fri, 2006-09-15 at 10:51 +0200, Pieter Vanmeerbeek wrote:
> Hi,
>
> Is it possible to disable snort logging? I only want alerts to be
visible
> using syslog. I'm not interested in dumps of analysed traffic.
>
> However if I start snort using
>
> snort -Q -s -c /ub/etc/ips/snort.conf
>
>
>
> snort complains about writing to /var/log/snort
>
>
>
>
> kind regards,
> Pieter
>
>
>
> --
> ---------------------------------------------------
> Able: 1996-2006: already 10 safe years in YOUR company!
>
> aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
> ---------------------------------------------------
> Able NV: ond.nr 0457.938.087
> RPR Mechelen
>
>
>
-------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services,
security?
> Get stuff done quickly with pre-integrated technology to make your job
easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
--
---------------------------------------------------
Able: 1996-2006: already 10 safe years in YOUR company!
aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen
|
|
From: Pieter V. <pie...@ab...> - 2006-09-15 08:51:09
|
Hi, Is it possible to disable snort logging? I only want alerts to be visible using syslog. I'm not interested in dumps of analysed traffic. However if I start snort using snort -Q -s -c /ub/etc/ips/snort.conf snort complains about writing to /var/log/snort kind regards, Pieter -- --------------------------------------------------- Able: 1996-2006: already 10 safe years in YOUR company! aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 RPR Mechelen |
|
From: Cesar F. F. <ces...@t-...> - 2006-09-12 03:12:45
|
Estar=E9 ausente de la oficina desde el 11/09/2006 y no volver=E9 hast= a el 15/09/2006. = |
|
From: Will M. <wil...@gm...> - 2006-09-11 19:39:24
|
Ummm for what? snort_inline as a whole, preprocs, certian rules, what do you mean? Regards, Will On 9/11/06, Bill Warren <bw...@op...> wrote: > > Is there white list an IP? I am running snort-inline 2.4.5a. > -- > > Bill Warren > > Network Systems Administrator > Optivel, Inc. > 317.275.2305 office > 317.523.8468 cell > www.optivel.com > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Bill W. <bw...@op...> - 2006-09-11 17:54:46
|
Is there white list an IP? I am running snort-inline 2.4.5a. -- Bill Warren Network Systems Administrator Optivel, Inc. 317.275.2305 office 317.523.8468 cell www.optivel.com |
|
From: Will M. <wil...@gm...> - 2006-09-01 20:44:29
|
use sticky-drop see the Inline readme in the doc/ directory in the source
tarball....
Regards,
Will
On 9/1/06, Eduardo Gomez Garreaud <ed...@pc...> wrote:
>
> Hello all
> I need to figure how I can drop nmap scan going to my network
> Snort is receiving without problem the traffique sent trought iptables
> iptables -P FORWARD DROP
> iptables -A FORWARD -j QUEUE
> I can block incoming ftp conecction with ftp.rules, also i can block email
> contanining .exe attachments supposing to be virus.
> But everyone who make a nmap -sS to one host of my network get the list
> of open ports.
> (The nmap scan is detected but is not droped)
> "I have set all the rules to fit the DROP policy"
> icmp.rules
> drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
> dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon;
> sid:469; rev:4;)
>
>
>
>
> Here is my snort.conf
> var HOME_NET any
>
> var HONEYNET any
> var EXTERNAL_NET any
> var SMTP_SERVERS any
> var TELNET_SERVERS any
> var HTTP_SERVERS any
> var SQL_SERVERS any
> var HTTP_PORTS 80
> var SHELLCODE_PORTS !80
> var ORACLE_PORTS 1521
> config checksum_mode: none
> var RULE_PATH /etc/snort/rules
> # config layer2resets: 00:06:76:DD:5F:E3
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: disable_evasion_alerts
> preprocessor stream4_reassemble: both
> preprocessor http_inspect: global \
> iis_unicode_map unicode.map 1252
> preprocessor http_inspect_server: server default \
> profile all ports { 80 8080 8180 } oversize_dir_length 500
>
> preprocessor rpc_decode: 111 32771
> preprocessor bo
> preprocessor telnet_decode
>
> preprocessor sfportscan: proto { all } \
> memcap { 10000000 } \
> sense_level { low }
>
> output alert_full: snort_inline-full
> output alert_fast: snort_inline-fast
>
> #output log_tcpdump: tcpdump.log
>
> # Include classification & priority settings
> include $RULE_PATH/classification.config
> include $RULE_PATH/reference.config
>
> ### The Drop Rules
> # Enabled
> include $RULE_PATH/exploit.rules
> #include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> #include $RULE_PATH/telnet.rules
> include $RULE_PATH/rpc.rules
> #include $RULE_PATH/rservices.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> #include $RULE_PATH/tftp.rules
> #include $RULE_PATH/web-cgi.rules
> #include $RULE_PATH/web-coldfusion.rules
> #include $RULE_PATH/web-iis.rules
> #include $RULE_PATH/web-frontpage.rules
> #include $RULE_PATH/web-misc.rules
> #include $RULE_PATH/web-client.rules
> #include $RULE_PATH/web-php.rules
> #include $RULE_PATH/sql.rules
> #include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> #include $RULE_PATH/netbios.rules
> #include $RULE_PATH/oracle.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/snmp.rules
> include $RULE_PATH/smtp.rules
> #include $RULE_PATH/imap.rules
> include $RULE_PATH/pop3.rules
> #include $RULE_PATH/pop2.rules
> include $RULE_PATH/web-attacks.rules
> include $RULE_PATH/virus.rules
> #include $RULE_PATH/nntp.rules
>
>
> Thank you very much
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
>
>
|
|
From: Eduardo G. G. <ed...@pc...> - 2006-09-01 17:38:31
|
Hello all
I need to figure how I can drop nmap scan going to my network
Snort is receiving without problem the traffique sent trought iptables
iptables -P FORWARD DROP
iptables -A FORWARD -j QUEUE
I can block incoming ftp conecction with ftp.rules, also i can block =
email contanining .exe attachments supposing to be virus.
But everyone who make a nmap -sS to one host of my network get the list =
of open ports.
(The nmap scan is detected but is not droped)
"I have set all the rules to fit the DROP policy"
icmp.rules
drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; =
dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; =
sid:469; rev:4;)
Here is my snort.conf
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
config checksum_mode: none
var RULE_PATH /etc/snort/rules
# config layer2resets: 00:06:76:DD:5F:E3
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble: both
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast
#output log_tcpdump: tcpdump.log
# Include classification & priority settings
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
#include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
#include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
#include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web-iis.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web-misc.rules
#include $RULE_PATH/web-client.rules
#include $RULE_PATH/web-php.rules
#include $RULE_PATH/sql.rules
#include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
#include $RULE_PATH/netbios.rules
#include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
#include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
#include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
#include $RULE_PATH/nntp.rules
Thank you very much
|
|
From: Alfredo O. <ao...@tu...> - 2006-08-10 02:01:06
|
Thanks Tut....I really appreciate your help on this. I will go the cron route as you suggested. Many thanks and regards,....Alfredo ----- Original Message ----- From: "Tut" <tut...@pa...> To: "Alfredo Osorio" <ao...@tu...> Cc: <sno...@li...> Sent: Wednesday, August 09, 2006 9:42 PM Subject: Re: [Snort-inline-users] Bypassing a domain name using IPTABLES > Hi Alfredo, > > I don't think that there is any capability for iptables to handle that > situation. Seems that you need for it to do a DNS reverse lookup on > every new connection attempt and there's nothing in iptables to handle > that. > > One possibility, is to use the mac-address filter in iptables. Only > useful if all connections from that site come in on a gateway you can > uniquely identify by mac address. > > Otherwise, a cronjob to resolve the name every few minutes, and update > the iptables rule when-ever the IP changes. > > tut. > > On Wed, 09 Aug 2006 09:13:16 -0400 > Alfredo Osorio <ao...@tu...> wrote: > > > Tut: Thanks for the guidance. Changing IPs are indeed the problem. As > > you suggest the DNS query that iptables uses get's a valid IP but > > this IP changes quickly (likely bcs of load balancing) and thus the > > new packets with the new IP go to QUEUE directly. Any ideas on how to > > solve this? In other words, how to avoid a specific's domain traffic > > from going to QUEUE when all we know is the domain name? Is this even > > possible given DNS resolution limitations? Many thanks....Alfredo > > > > ps: Here's the setting of why I'm trying to do this. We have > > snort_inline in our office protecting all incoming and outgoing > > connections (all ports). We also use a third party offsite server on > > dynamic DNS. I would like the traffic to the offsite server to be > > bypassed from snort. > > > > ----- Original Message ----- > > From: "Tut" <tut...@pa...> > > To: "Alfredo Osorio" <ao...@tu...> > > Cc: <sno...@li...> > > Sent: Tuesday, August 08, 2006 10:54 PM > > Subject: Re: [Snort-inline-users] Bypassing a domain name using > > IPTABLES > > > > > > > hmmm, That should work, my guess is that using a name in the rule is > > > the problem. It's generally a bad idea to make iptables use DNS to > > > resolve names in the rules. Only the ip address that is returned > > > when you add the rule is included in the rule. > > > > > > If you use <iptables -L FORWARD -n -v> after adding the accept rule > > > which specifies a name, you'll find that the rule iptables has added > > > has resolved the name to an IP address, and saved that, not the > > > name.This activity is hidden if you list the rules without the -n > > > parameter, because the reverse lookup is resolving the IP back to > > > the name. So the rule will only match when that particular IP is > > > returned when you connect to it. > > > > > > tut. > > > > > > On Tue, 08 Aug 2006 20:51:57 -0400 > > > Alfredo Osorio <ao...@tu...> wrote: > > > > > > > Thanks Tut....That was my first thought too but no go...I tried... > > > > > > > > iptables -F > > > > iptables -A FORWARD -d www.safedomain.com -j ACCEPT > > > > iptables -A FORWARD -s www.safedomain.com -j ACCEPT > > > > iptables -A FORWARD -j QUEUE > > > > > > > > However, everything is going to queue despite the two accept lines > > > > above it....Clearly there's something about the sequencing of > > > > iptables (or the FORWARD chain) that I don't > > > > understand.....Alfredo > > > > > > > > ----- Original Message ----- > > > > From: "Tut" <tut...@pa...> > > > > To: <sno...@li...> > > > > Sent: Tuesday, August 08, 2006 8:25 PM > > > > Subject: Re: [Snort-inline-users] Bypassing a domain name using > > > > IPTABLES > > > > > > > > > > > > > > > > > > Why would you use mangle and mark for this? Surely you could > > > > > just insert a rule prior to your QUEUE target, for the traffic > > > > > you want to bypass snort inline, and just ACCEPT it? > > > > > > > > > > tut. > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > > Using Tomcat but need to do more? Need to support web services, > > > > > security? Get stuff done quickly with pre-integrated technology > > > > > to make your job > > > > easier > > > > > Download IBM WebSphere Application Server v.1.0.1 based on > > > > > Apache Geronimo > > > > > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > > > _______________________________________________ > > > > > Snort-inline-users mailing list > > > > > Sno...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > On Tue, 08 Aug 2006 20:11:16 -0400 Alfredo Osorio > > > > > <ao...@tu...> wrote: > > > > > > > > > > > Hello everyone... > > > > > > > > > > > > Does anyone have any experience using iptables to detect > > > > > > traffic from a specific domain and not send this traffic to > > > > > > QUEUE - so effectively bypassing snort-inline only for this > > > > > > type of traffic? I have tried multiple iptables commands (I'm > > > > > > new to iptables) without success. The commands below are > > > > > > patterned after info I found on previous postings. > > > > > > > > > > > > # Mark all New incoming traffic as 1 > > > > > > iptables -t mangle -A FORWARD -m state --state NEW -j MARK > > > > > > --set-mark 1 > > > > > > > > > > > > # Mark New traffic from/to target domain as 2 > > > > > > iptables -t mangle -A FORWARD -m state --state NEW -d > > > > > > www.safedomain.com -j MARK --set-mark 2 iptables -t mangle -A > > > > > > FORWARD -m state --state NEW -s www.safedomain.com -j MARK > > > > > > --set-mark 2 > > > > > > > > > > > > # Mark all Established traffic as 1 > > > > > > iptables -t mangle -A FORWARD -m state --state ESTABLISHED -j > > > > > > MARK --set-mark 1 > > > > > > > > > > > > # Mark Established traffic from/to target domain as 2 > > > > > > iptables -t mangle -A FORWARD -d www.safedomain.com -m state > > > > > > --state ESTABLISHED -j MARK --set-mark 2 iptables -t mangle -A > > > > > > FORWARD -s www.safedomain.com -m state --state ESTABLISHED -j > > > > > > MARK --set-mark 2 > > > > > > > > > > > > #Accept or send to QUEUE depending on mark > > > > > > iptables -I FORWARD -m mark --mark 2 -j ACCEPT > > > > > > iptables -I FORWARD -m mark --mark 1 -j QUEUE > > > > > > > > > > > > I'm not using whitelists within snort-inline to do this as I > > > > > > want to avoid having to restart snort. Also the ip ranges for > > > > > > www.safedomain.com may change constantly because of dynamic > > > > > > dns. > > > > > > > > > > > > Any thoughts would be greatly > > > > > > appreciated.....Regards,....Alfredo > > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > > Using Tomcat but need to do more? Need to support web services, > > > > security? Get stuff done quickly with pre-integrated technology to > > > > make your job easier Download IBM WebSphere Application Server > > > > v.1.0.1 based on Apache Geronimo > > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > > _______________________________________________ Snort-inline-users > > > > mailing list Sno...@li... > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > > ------------------------------------------------------------------------- > > > Using Tomcat but need to do more? Need to support web services, > > > security? Get stuff done quickly with pre-integrated technology to > > > make your job > > easier > > > Download IBM WebSphere Application Server v.1.0.1 based on Apache > > > Geronimo > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > _______________________________________________ Snort-inline-users > > > mailing list Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > ------------------------------------------------------------------------- > > Using Tomcat but need to do more? Need to support web services, > > security? Get stuff done quickly with pre-integrated technology to > > make your job easier Download IBM WebSphere Application Server > > v.1.0.1 based on Apache Geronimo > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ Snort-inline-users > > mailing list Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > |
|
From: Tut <tut...@pa...> - 2006-08-10 01:41:29
|
Hi Alfredo, I don't think that there is any capability for iptables to handle that situation. Seems that you need for it to do a DNS reverse lookup on every new connection attempt and there's nothing in iptables to handle that. One possibility, is to use the mac-address filter in iptables. Only useful if all connections from that site come in on a gateway you can uniquely identify by mac address. Otherwise, a cronjob to resolve the name every few minutes, and update the iptables rule when-ever the IP changes. tut. On Wed, 09 Aug 2006 09:13:16 -0400 Alfredo Osorio <ao...@tu...> wrote: > Tut: Thanks for the guidance. Changing IPs are indeed the problem. As > you suggest the DNS query that iptables uses get's a valid IP but > this IP changes quickly (likely bcs of load balancing) and thus the > new packets with the new IP go to QUEUE directly. Any ideas on how to > solve this? In other words, how to avoid a specific's domain traffic > from going to QUEUE when all we know is the domain name? Is this even > possible given DNS resolution limitations? Many thanks....Alfredo > > ps: Here's the setting of why I'm trying to do this. We have > snort_inline in our office protecting all incoming and outgoing > connections (all ports). We also use a third party offsite server on > dynamic DNS. I would like the traffic to the offsite server to be > bypassed from snort. > > ----- Original Message ----- > From: "Tut" <tut...@pa...> > To: "Alfredo Osorio" <ao...@tu...> > Cc: <sno...@li...> > Sent: Tuesday, August 08, 2006 10:54 PM > Subject: Re: [Snort-inline-users] Bypassing a domain name using > IPTABLES > > > > hmmm, That should work, my guess is that using a name in the rule is > > the problem. It's generally a bad idea to make iptables use DNS to > > resolve names in the rules. Only the ip address that is returned > > when you add the rule is included in the rule. > > > > If you use <iptables -L FORWARD -n -v> after adding the accept rule > > which specifies a name, you'll find that the rule iptables has added > > has resolved the name to an IP address, and saved that, not the > > name.This activity is hidden if you list the rules without the -n > > parameter, because the reverse lookup is resolving the IP back to > > the name. So the rule will only match when that particular IP is > > returned when you connect to it. > > > > tut. > > > > On Tue, 08 Aug 2006 20:51:57 -0400 > > Alfredo Osorio <ao...@tu...> wrote: > > > > > Thanks Tut....That was my first thought too but no go...I tried... > > > > > > iptables -F > > > iptables -A FORWARD -d www.safedomain.com -j ACCEPT > > > iptables -A FORWARD -s www.safedomain.com -j ACCEPT > > > iptables -A FORWARD -j QUEUE > > > > > > However, everything is going to queue despite the two accept lines > > > above it....Clearly there's something about the sequencing of > > > iptables (or the FORWARD chain) that I don't > > > understand.....Alfredo > > > > > > ----- Original Message ----- > > > From: "Tut" <tut...@pa...> > > > To: <sno...@li...> > > > Sent: Tuesday, August 08, 2006 8:25 PM > > > Subject: Re: [Snort-inline-users] Bypassing a domain name using > > > IPTABLES > > > > > > > > > > > > > > Why would you use mangle and mark for this? Surely you could > > > > just insert a rule prior to your QUEUE target, for the traffic > > > > you want to bypass snort inline, and just ACCEPT it? > > > > > > > > tut. > > > > > > > > > ------------------------------------------------------------------------- > > > > Using Tomcat but need to do more? Need to support web services, > > > > security? Get stuff done quickly with pre-integrated technology > > > > to make your job > > > easier > > > > Download IBM WebSphere Application Server v.1.0.1 based on > > > > Apache Geronimo > > > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > > _______________________________________________ > > > > Snort-inline-users mailing list > > > > Sno...@li... > > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > On Tue, 08 Aug 2006 20:11:16 -0400 Alfredo Osorio > > > > <ao...@tu...> wrote: > > > > > > > > > Hello everyone... > > > > > > > > > > Does anyone have any experience using iptables to detect > > > > > traffic from a specific domain and not send this traffic to > > > > > QUEUE - so effectively bypassing snort-inline only for this > > > > > type of traffic? I have tried multiple iptables commands (I'm > > > > > new to iptables) without success. The commands below are > > > > > patterned after info I found on previous postings. > > > > > > > > > > # Mark all New incoming traffic as 1 > > > > > iptables -t mangle -A FORWARD -m state --state NEW -j MARK > > > > > --set-mark 1 > > > > > > > > > > # Mark New traffic from/to target domain as 2 > > > > > iptables -t mangle -A FORWARD -m state --state NEW -d > > > > > www.safedomain.com -j MARK --set-mark 2 iptables -t mangle -A > > > > > FORWARD -m state --state NEW -s www.safedomain.com -j MARK > > > > > --set-mark 2 > > > > > > > > > > # Mark all Established traffic as 1 > > > > > iptables -t mangle -A FORWARD -m state --state ESTABLISHED -j > > > > > MARK --set-mark 1 > > > > > > > > > > # Mark Established traffic from/to target domain as 2 > > > > > iptables -t mangle -A FORWARD -d www.safedomain.com -m state > > > > > --state ESTABLISHED -j MARK --set-mark 2 iptables -t mangle -A > > > > > FORWARD -s www.safedomain.com -m state --state ESTABLISHED -j > > > > > MARK --set-mark 2 > > > > > > > > > > #Accept or send to QUEUE depending on mark > > > > > iptables -I FORWARD -m mark --mark 2 -j ACCEPT > > > > > iptables -I FORWARD -m mark --mark 1 -j QUEUE > > > > > > > > > > I'm not using whitelists within snort-inline to do this as I > > > > > want to avoid having to restart snort. Also the ip ranges for > > > > > www.safedomain.com may change constantly because of dynamic > > > > > dns. > > > > > > > > > > Any thoughts would be greatly > > > > > appreciated.....Regards,....Alfredo > > > > > > > > > > ------------------------------------------------------------------------- > > > Using Tomcat but need to do more? Need to support web services, > > > security? Get stuff done quickly with pre-integrated technology to > > > make your job easier Download IBM WebSphere Application Server > > > v.1.0.1 based on Apache Geronimo > > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > _______________________________________________ Snort-inline-users > > > mailing list Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > ------------------------------------------------------------------------- > > Using Tomcat but need to do more? Need to support web services, > > security? Get stuff done quickly with pre-integrated technology to > > make your job > easier > > Download IBM WebSphere Application Server v.1.0.1 based on Apache > > Geronimo > > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ Snort-inline-users > > mailing list Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, > security? Get stuff done quickly with pre-integrated technology to > make your job easier Download IBM WebSphere Application Server > v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ Snort-inline-users > mailing list Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
133 messages has been excluded from this view by a project administrator.
