Menu
▾
▴
snort-inline-users — The goal of this list is to help users debug/use snort_inline
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(15) |
Jun
(23) |
Jul
(54) |
Aug
(20) |
Sep
(18) |
Oct
(19) |
Nov
(36) |
Dec
(30) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(48) |
Feb
(16) |
Mar
(36) |
Apr
(36) |
May
(45) |
Jun
(47) |
Jul
(93) |
Aug
(29) |
Sep
(28) |
Oct
(42) |
Nov
(45) |
Dec
(53) |
| 2005 |
Jan
(62) |
Feb
(51) |
Mar
(65) |
Apr
(28) |
May
(57) |
Jun
(23) |
Jul
(24) |
Aug
(72) |
Sep
(16) |
Oct
(53) |
Nov
(53) |
Dec
(3) |
| 2006 |
Jan
(56) |
Feb
(6) |
Mar
(15) |
Apr
(14) |
May
(35) |
Jun
(57) |
Jul
(35) |
Aug
(7) |
Sep
(22) |
Oct
(16) |
Nov
(18) |
Dec
(9) |
| 2007 |
Jan
(8) |
Feb
(3) |
Mar
(11) |
Apr
(35) |
May
(6) |
Jun
(10) |
Jul
(26) |
Aug
(4) |
Sep
|
Oct
(29) |
Nov
|
Dec
(7) |
| 2008 |
Jan
(1) |
Feb
(2) |
Mar
(2) |
Apr
(13) |
May
(8) |
Jun
(3) |
Jul
(19) |
Aug
(20) |
Sep
(6) |
Oct
(5) |
Nov
|
Dec
(4) |
| 2009 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(10) |
Jul
(2) |
Aug
(5) |
Sep
|
Oct
(1) |
Nov
|
Dec
(5) |
| 2010 |
Jan
(10) |
Feb
(10) |
Mar
(2) |
Apr
|
May
(7) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2013 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Peter S. <de...@si...> - 2005-08-08 14:29:58
|
Hi, as far as I know, the preprocessor stream4, works fine, it just processes the data after the content matching and dropping occurs. Thus it will not be able to capture a telnet session, if a word is required, because it can only capture packets as they enter the system. Original snort does the tsp streaming then content matches hence the packets will be captured Pete Pieter Vanmeerbeek wrote: > Can you give me a state on preprocessor functionality and snort-inline > use? > I.e. what works and what doesn't work? > > Kind regards, > Pieter > > > Will Metcalf wrote: > >> This is what stream4inline is trying to accomplish, we are still >> trying to rewrite this. The reassembly in the vanilla stream4 does >> reassembly after the packets have passed which doesn't do use any good >> in inline mode. We have a whole new set of problems to deal with when >> doing reassembly in inline mode, the most prevalent is dealing with in >> window, out of sequence packets. >> >> Regards, >> >> Will >> >> > -- > NEW: aXs GUARD hands-on Trainings v.7.0 more info at > http://www.axsguard.com/indextraining.htm > > aXs GUARD has completed security and anti-virus checks on this e-mail > (http://www.axsguard.com) > --------------------------------------------------- > Able NV: ond.nr 0457.938.087 > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing > & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Pieter V. <pv...@ab...> - 2005-08-08 09:31:55
|
Can you give me a state on preprocessor functionality and snort-inline use? I.e. what works and what doesn't work? Kind regards, Pieter Will Metcalf wrote: >This is what stream4inline is trying to accomplish, we are still >trying to rewrite this. The reassembly in the vanilla stream4 does >reassembly after the packets have passed which doesn't do use any good >in inline mode. We have a whole new set of problems to deal with when >doing reassembly in inline mode, the most prevalent is dealing with in >window, out of sequence packets. > >Regards, > >Will > > -- NEW: aXs GUARD hands-on Trainings v.7.0 more info at http://www.axsguard.com/indextraining.htm aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 |
|
From: Pieter V. <pv...@ab...> - 2005-08-08 07:29:02
|
Hi, I'm experimenting with snort and the flex resp. I want to compare the working /load differences between snort with flex resp and snort_inline with drop. I modified all rules (default rules) with oinkmaster to include resp:rst_snd. While running snort I got the following error : ERROR: /ub/pkg/ips/rules/bad-traffic.rules(30): Can't respond to IP protocol rules This is the run command : /snort -i eth1 -b -s -l /data/system-logs/ipsdetail -c /ub/etc/ips/snort.conf This is the rule at line 30 : alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;resp:rst_snd;) my snort. conf file is default except for the rule path variables are set as : var HOME_NET 195.0.83.244 var EXTERNAL_NET any var DNS_SERVERS [any] var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var SNMP_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.1 53.0/24,205.188.179.0/24,205.188.248.0/24] var RULE_PATH /ub/pkg/ips/rules Can anyone tell me what I did wrong? There is no specific string to mathc in the rule only dest 127.0.0.0/8 is matched. The rule file sais : These signatures are representitive of traffic that should never be seen on # any network. None of these signatures include datagram content checking # and are extremely quick signatures So there shouldn't be a problem in blocking all matches. kind regards, Pieter -- Pieter Vanmeerbeek R&D Engineer --------------------------------------------------- Able N.V. Tel: +32(0)15 50.44.00 Dellingstraat 28b Fax: +32(0)15.50.44.09 B-2800 Mechelen http://www.axsguard.com http://www.doITsafe.net aXs GUARD - internet communication appliance --------------------------------------------------- -- NEW: aXs GUARD hands-on Trainings v.7.0 more info at http://www.axsguard.com/indextraining.htm aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 |
|
From: Peter S. <de...@si...> - 2005-08-08 05:51:15
|
I can see the problems, I just wanted to clarify the situation, would you recommend having two snort's running then, one in inline mode and one in normal mode, to deal with all the alerts. Presumably, all detection, even logging and alerting is performed before the stream4 does it's reassembly. I suppose for logging purposes could you configure snort to log the entire stream as a single raw data stream and then check that against the signitures, sure not much of an IPS routine but would enable you to have logging on these packets? Thank you for your reply, you have saved me a lot of searching. Do you think that reassembly before detection will be implemented soon? Pete Will Metcalf wrote: >This is what stream4inline is trying to accomplish, we are still >trying to rewrite this. The reassembly in the vanilla stream4 does >reassembly after the packets have passed which doesn't do use any good >in inline mode. We have a whole new set of problems to deal with when >doing reassembly in inline mode, the most prevalent is dealing with in >window, out of sequence packets. > >Regards, > >Will > >On 8/5/05, Peter Savage <de...@si...> wrote: > > >>Hi, >>I have been running snort_inline for some time now and was recently >>approached by someone to write a rule similar to the "to su root" >>content rule present in the telnet rules. >>I tried to create a rule that would match a word but this does not >>occur. A single character however, will be matched successfully. I >>presume this is due to the way that telnet sessions work, ie, seperate >>packets for each character typed. I looked into this further and saw >>that stream4 should be able to reassemble the packets into the stream. >>Is content checking able to be done on this stream, >>My snort_inline.conf is a default apart from a change to where the rules >>are located. >>Any assistance? >>Pete >> >> >>------------------------------------------------------- >>SF.Net email is Sponsored by the Better Software Conference & EXPO >>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> > > >------------------------------------------------------- >SF.Net email is Sponsored by the Better Software Conference & EXPO >September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > |
|
From: Will M. <wil...@gm...> - 2005-08-08 05:09:46
|
This is what stream4inline is trying to accomplish, we are still trying to rewrite this. The reassembly in the vanilla stream4 does reassembly after the packets have passed which doesn't do use any good in inline mode. We have a whole new set of problems to deal with when doing reassembly in inline mode, the most prevalent is dealing with in window, out of sequence packets. Regards, Will On 8/5/05, Peter Savage <de...@si...> wrote: > Hi, > I have been running snort_inline for some time now and was recently > approached by someone to write a rule similar to the "to su root" > content rule present in the telnet rules. > I tried to create a rule that would match a word but this does not > occur. A single character however, will be matched successfully. I > presume this is due to the way that telnet sessions work, ie, seperate > packets for each character typed. I looked into this further and saw > that stream4 should be able to reassemble the packets into the stream. > Is content checking able to be done on this stream, > My snort_inline.conf is a default apart from a change to where the rules > are located. > Any assistance? > Pete >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Geoffrey L. [F. C. <gl...@fr...> - 2005-08-07 03:37:36
|
Yes just a typo, I thought snortinline was just a module of snort. Will the snortinline build *lack *things that vanilla snort has? Maybe im missing something? to better understand snort I would like to know the reasons. Thanks again. Ken Garland wrote: > Javier Reyna Padilla wrote: > >> >>>> >>> When talking about snort there is only IDS (Intrusion Detection >>> System) and IPS (Intrusion Prevention System). Are you looking at >>> purchasing the Netscreen device? If so look up more information on >>> their site that explains what it does and try to relate it to either >>> IDS or IPS in snort. >> >> >> >> >> Thanks Ken, but I am not looking to purchase a device. I was just >> reading the initial email from Geoffrey and textualy is: >> >> I read in the README.inline that if you want to >> use your machine as an IPS as well as IDP you should use two snort >> instances with seperate rules? I am not sure if I am reading this >> >> So he talks about IPS and IDP, not IPS and IDS, maybe it is just a >> typo from Geoffrey. That is my doubt. >> > Ha! I need some new glasses maybe. ;) > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing > & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- Freedom Computers; Geoffrey D. Levy, GCIA gl...@fr... www.freedomcomputers.ca Phone: (403)710-7147 Fax: (403)251-4517 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.1/64 - Release Date: 8/4/2005 |
|
From: Peter S. <de...@si...> - 2005-08-05 22:36:25
|
Hi, I have been running snort_inline for some time now and was recently approached by someone to write a rule similar to the "to su root" content rule present in the telnet rules. I tried to create a rule that would match a word but this does not occur. A single character however, will be matched successfully. I presume this is due to the way that telnet sessions work, ie, seperate packets for each character typed. I looked into this further and saw that stream4 should be able to reassemble the packets into the stream. Is content checking able to be done on this stream, My snort_inline.conf is a default apart from a change to where the rules are located. Any assistance? Pete |
|
From: Ken G. <ken...@ro...> - 2005-08-05 19:16:47
|
Javier Reyna Padilla wrote: > >>> >> When talking about snort there is only IDS (Intrusion Detection >> System) and IPS (Intrusion Prevention System). Are you looking at >> purchasing the Netscreen device? If so look up more information on >> their site that explains what it does and try to relate it to either >> IDS or IPS in snort. > > > > Thanks Ken, but I am not looking to purchase a device. I was just > reading the initial email from Geoffrey and textualy is: > > I read in the README.inline that if you want to > use your machine as an IPS as well as IDP you should use two snort > instances with seperate rules? I am not sure if I am reading this > > So he talks about IPS and IDP, not IPS and IDS, maybe it is just a > typo from Geoffrey. That is my doubt. > Ha! I need some new glasses maybe. ;) |
|
From: Javier R. P. <jr...@on...> - 2005-08-05 19:05:31
|
>> > When talking about snort there is only IDS (Intrusion Detection=20 > System) and IPS (Intrusion Prevention System). Are you looking at=20 > purchasing the Netscreen device? If so look up more information on=20 > their site that explains what it does and try to relate it to either=20 > IDS or IPS in snort. Thanks Ken, but I am not looking to purchase a device. I was just=20 reading the initial email from Geoffrey and textualy is: I read in the README.inline that if you want to use your machine as an IPS as well as IDP you should use two snort instances with seperate rules? I am not sure if I am reading this So he talks about IPS and IDP, not IPS and IDS, maybe it is just a typo=20 from Geoffrey. That is my doubt. --=20 -------------------------- Javier Reyna Padilla Consultor de Seguridad Onlinet S.A. de C.V. Casma 594 Col. Lindavista C.P. 07300 M=E9xico D.F. Tel. (55) 55862613 Nextel: 24885934 ID: 45973*20 Cel: 044 55 28660731 http://www.onlinet.com.mx --------------------------- |
|
From: Ken G. <ken...@ro...> - 2005-08-05 18:55:20
|
Javier Reyna Padilla wrote: > Totally Agree!!!, but my question was not about IDS and IDP, it was > between IDP (Intrusion Detection and Prevention) and IPS (Intrusion > Prevention System). I think is the same thing, but for example, > Juniper has an appliance called Juniper Netscreen IDP, and ISS, talk > about their Porventias as IPS, but boths are for the same... Do I > explained myself? Maybe it's just the name! > > Ken Garland wrote: > >> Javier Reyna Padilla wrote: >> >>> >>>>> I read in the README.inline that if you want to >>>>> use your machine as an IPS as well as IDP you should use two snort >>>>> instances with seperate rules? I am not sure if I am reading this >>>>> >>>> >>>> >>>> >>> What is the diference between IDP and IPS? I thinks is the same >>> thing but with a different name. Is there any? >>> >> two separate processes yes. for IDS you run plain snort, for IPS you >> run snort in inline mode. these two function different from each >> other and typically have seperate conf files and rule directories. at >> least this is my practice and of the systems i have seen utilizing both. >> >> >> ------------------------------------------------------- >> SF.Net email is Sponsored by the Better Software Conference & EXPO >> September 19-22, 2005 * San Francisco, CA * Development Lifecycle >> Practices >> Agile & Plan-Driven Development * Managing Projects & Teams * Testing >> & QA >> Security * Process Improvement & Measurement * >> http://www.sqe.com/bsce5sf >> _______________________________________________ >> Snort-inline-users mailing list >> Sno...@li... >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> > > When talking about snort there is only IDS (Intrusion Detection System) and IPS (Intrusion Prevention System). Are you looking at purchasing the Netscreen device? If so look up more information on their site that explains what it does and try to relate it to either IDS or IPS in snort. Your original questions was this: "I read in the README.inline that if you want to use your machine as an IPS as well as IDP you should use two snort instances with seperate rules? I am not sure if I am reading this " My answer is YES, you run two seperate instances of Snort. One for IDS and one for IPS. |
|
From: Geoffrey L. [F. C. <gl...@fr...> - 2005-08-05 18:47:36
|
2.6.x, I have the problem resolved. >What kernel version are you using? 2.6.x or 2.4.x? > >On 8/4/05, Geoffrey Levy [Freedom Computers] <gl...@fr...> wrote: > > >>Thanks for the fast email... I am having a little snag with the bridge >>setup. I get packets when I am sending traffic to my eth0 but when I put >>the bridge inline on my network (wich consists of eth1 and eth2) I cant >>pick up any traffic with snortinline. Now my first thought was to look >>at EBtables but everything looks good their. Any ideas? >> >>-- >>Freedom Computers; >>Geoffrey D. Levy, GCIA >>gl...@fr... >>www.freedomcomputers.ca >>Phone: (403)710-7147 >>Fax: (403)251-4517 >> >> >> >>-- >>No virus found in this outgoing message. >>Checked by AVG Anti-Virus. >>Version: 7.0.338 / Virus Database: 267.9.9/62 - Release Date: 8/2/2005 >> >> >> >> >>------------------------------------------------------- >>SF.Net email is Sponsored by the Better Software Conference & EXPO >>September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >>Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >>Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >> >> > > >------------------------------------------------------- >SF.Net email is Sponsored by the Better Software Conference & EXPO >September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- Freedom Computers; Geoffrey D. Levy, GCIA gl...@fr... www.freedomcomputers.ca Phone: (403)710-7147 Fax: (403)251-4517 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.1/64 - Release Date: 8/4/2005 |
|
From: Geoffrey L. [F. C. <gl...@fr...> - 2005-08-05 18:43:34
|
Yes, Indeed. I have figured out the problem. I didnt assign my homenet properly. Just a bit of a typo. Thanks >Silly question, but: I assume you are using an iptables rule such as >"iptables -A FORWARD -j QUEUE", and running snort with -Q (to listen >to the IP queue)? > > > > >>On 8/4/05, Geoffrey Levy [Freedom Computers] <gl...@fr...> wrote: >> >> >>>Thanks for the fast email... I am having a little snag with the bridge >>>setup. I get packets when I am sending traffic to my eth0 but when I put >>>the bridge inline on my network (wich consists of eth1 and eth2) I cant >>>pick up any traffic with snortinline. Now my first thought was to look >>>at EBtables but everything looks good their. Any ideas? >>> >>> > > >------------------------------------------------------- >SF.Net email is Sponsored by the Better Software Conference & EXPO >September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >_______________________________________________ >Snort-inline-users mailing list >Sno...@li... >https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > -- Freedom Computers; Geoffrey D. Levy, GCIA gl...@fr... www.freedomcomputers.ca Phone: (403)710-7147 Fax: (403)251-4517 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.1/64 - Release Date: 8/4/2005 |
|
From: Javier R. P. <jr...@on...> - 2005-08-05 15:43:03
|
Totally Agree!!!, but my question was not about IDS and IDP, it was=20 between IDP (Intrusion Detection and Prevention) and IPS (Intrusion=20 Prevention System). I think is the same thing, but for example, Juniper=20 has an appliance called Juniper Netscreen IDP, and ISS, talk about their=20 Porventias as IPS, but boths are for the same... Do I explained myself? =20 Maybe it's just the name! Ken Garland wrote: > Javier Reyna Padilla wrote: > >> >>>> I read in the README.inline that if you want to >>>> use your machine as an IPS as well as IDP you should use two snort >>>> instances with seperate rules? I am not sure if I am reading this >>>> =20 >>> >>> >> What is the diference between IDP and IPS? I thinks is the same thing=20 >> but with a different name. Is there any? >> > two separate processes yes. for IDS you run plain snort, for IPS you=20 > run snort in inline mode. these two function different from each other=20 > and typically have seperate conf files and rule directories. at least=20 > this is my practice and of the systems i have seen utilizing both. > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle=20 > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing=20 > & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5= sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > --=20 -------------------------- Javier Reyna Padilla Consultor de Seguridad Onlinet S.A. de C.V. Casma 594 Col. Lindavista C.P. 07300 M=E9xico D.F. Tel. (55) 55862613 Nextel: 24885934 ID: 45973*20 Cel: 044 55 28660731 http://www.onlinet.com.mx --------------------------- |
|
From: Ken G. <ken...@ro...> - 2005-08-05 15:29:38
|
Javier Reyna Padilla wrote: > >>> I read in the README.inline that if you want to >>> use your machine as an IPS as well as IDP you should use two snort >>> instances with seperate rules? I am not sure if I am reading this >>> >> > What is the diference between IDP and IPS? I thinks is the same thing > but with a different name. Is there any? > two separate processes yes. for IDS you run plain snort, for IPS you run snort in inline mode. these two function different from each other and typically have seperate conf files and rule directories. at least this is my practice and of the systems i have seen utilizing both. |
|
From: Javier R. P. <jr...@on...> - 2005-08-05 15:12:02
|
>>I read in the README.inline that if you want to >>use your machine as an IPS as well as IDP you should use two snort >>instances with seperate rules? I am not sure if I am reading this >> =20 >> What is the diference between IDP and IPS? I thinks is the same thing=20 but with a different name. Is there any? --=20 -------------------------- Javier Reyna Padilla Consultor de Seguridad Onlinet S.A. de C.V. Casma 594 Col. Lindavista C.P. 07300 M=E9xico D.F. Tel. (55) 55862613 Nextel: 24885934 ID: 45973*20 Cel: 044 55 28660731 http://www.onlinet.com.mx --------------------------- |
|
From: Will M. <wil...@gm...> - 2005-08-05 13:21:31
|
On 8/5/05, Pieter Vanmeerbeek <pv...@ab...> wrote: > OK, so in both cases it's a userland app. I checked the processor load > and memory load in both scenarios. There seems to be no big difference. >=20 > I was wondering what the actual difference between inline drop and > flex-response is? As I understood it well in both scenarios the > connections is closed so no packets will traverse to the network only > with flex-response the first and maybe a small number of packets will be > send to the network as with snort-inline no packets will reach the > network as snort flex-response is actually a copy of the packet send to > the network diverted to userland. > I also experienced some downsides with snort-inline : > - adding an extra rule to iptables requires a hup to snort-inline to > allow packets to traverse ( imagine an ssh session in which a firewall > rule was added ; ok solution is not to let ssh traverse inline for ssh) >=20 > - access to the machine is not possible untill snort-inline is started This is not true, you just have to add your rule before your QUEUE rules. > - suppose snort-inline crashes for some mysterious reason ( example due > high load and high memory usage) no traffic will be possible, same > example with ssh which can also be solved by not sending ssh through > inline. >=20 I use a simple script to check and make sure snort_inline is running if it isn't it is started starts it. #!/bin/sh ps -ef | grep snort_inline | grep -v grep >> /dev/null || /etc/init.d/snortd start =20 > However not sending some traffic though snort)inline seems as clumbsy > solution to me. Is there another solutions to these problems? >=20 >=20 > kind regards, > Pieter >=20 >=20 > Nick Rogness wrote: >=20 > >>I tested it with ICMP rules so no sync present ;) > >> > >>Ok, so I better send all traffic through snort-inline. > >>But then I get a higher load due to kernel- userland transits. > >> > >> > > > > Because snort & snort_inline are userland apps, there is no way to > >avoid the kernel-userland overhead. There are ways to reduce it, but > >not eliminate the basic fact that snort resides in userland. > > > >One would have to move snort into a kernel module to avoid this. I don'= t > >know if there is a project underway to accomplish this, but most people > >say it is not a good idea. I think, if it does happen, it moves from > >being a software tool to a "network appliance". > > > > > > > >>So I'm searching for an alternative way of performing IPS with snort. I > >>checked the snort docs again and found some alert target rules, i.e. > >>react and resp post detection rule options, also allow blocking by snor= t > >>(i.e. IPS funcitonality). Using these statements allow using snort > >>normally. Are there any other ways to perform IPS with snort? > >> > >> > >> > > > > The best (current) way to implement IPS with snort is snort_inline. > >There are several reasons for this (IMHO): > > > > 1) Snort_inline is "inline" with the traffic instead of being a post > >processor engine. This gives you the ability to react to packets and > >insure they are not accidentally missed. Packets could leak into your > >network with regular snort if you are not careful. > > > > 2) Flex-Response does give you some similar functionality as > >snort_inline, but it is not the same thing. > > > > 3) You can do some interesting things with snort_inline that are no= t > >possible with snort, because traffic is not inline, such as altering > >traffic, etc. > > > > 4) snort_inline is being actively developed and maintained as an IPS= . > >snort_inline is ment to function as an IPS, snort is ment to function > >as an IDS. > > > > > > > >>What are the pros and contras of using snort-inline and using snort > >>normally with the react and resp detection rules? The docs already > >>indicate that react and resp rules will not be usefull for UDP traffic. > >> > >> > > > > The difference is snort is reading from the ethernet and snort_inline > >from a higher layer, i.e. It is all relative to what you are trying to > >accomplish. In some cases,snort will be better and in other cases > >snort_inline will be better. > > > > Regular snort sees all traffic, regardless of whether it needs to or > >not. With snort_inline, selective traffic can be inspected via the > >firewall. > > > > Just my opinion. > >Nick Rogness <ni...@ro...> > > > > > > > > >=20 > -- > NEW: aXs GUARD hands-on Trainings v.7.0 > more info at http://www.axsguard.com/indextraining.htm >=20 > aXs GUARD has completed security and anti-virus checks on this e-mail > (http://www.axsguard.com) > --------------------------------------------------- > Able NV: ond.nr 0457.938.087 >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Victor J. <vi...@nk...> - 2005-08-05 10:42:58
|
Pieter Vanmeerbeek wrote: > OK, so in both cases it's a userland app. I checked the processor load > and memory load in both scenarios. There seems to be no big difference. > > I was wondering what the actual difference between inline drop and > flex-response is? As I understood it well in both scenarios the > connections is closed so no packets will traverse to the network only > with flex-response the first and maybe a small number of packets will be > send to the network as with snort-inline no packets will reach the > network as snort flex-response is actually a copy of the packet send to > the network diverted to userland. In your worst-case scenario, the few packets that will slip through while flexresp tries to tear down the connection, can complete the attack. > > I also experienced some downsides with snort-inline : > - adding an extra rule to iptables requires a hup to snort-inline to > allow packets to traverse ( imagine an ssh session in which a firewall > rule was added ; ok solution is not to let ssh traverse inline for ssh) When adding _iptables_ rules? I cannot reproduce this and it doesn't make much sense to me. Snort_inline just listens to the queue, not to specific iptables rules. > - access to the machine is not possible untill snort-inline is started True. Personally, i don't use snort_inline for ssh from trusted ipaddresses. > - suppose snort-inline crashes for some mysterious reason ( example due > high load and high memory usage) no traffic will be possible, same > example with ssh which can also be solved by not sending ssh through > inline. True, however in some cases i can imagine that this is still what you prefer. If someone can attack snort_inline so it crashes, maybe a DoS is a lesser evil than 'unprotected' access. But i admit this won't be acceptable to many. > > However not sending some traffic though snort)inline seems as clumbsy > solution to me. Is there another solutions to these problems? You could see to have some sort of watchdog that can start snort_inline if it died. Also, but this is for the future, the NFQUEUE work currently done at netfilter could be interesting, because if will allow you to run multiple instances of snort_inline, for example one for http, one for mail, etc. This might slightly reduce the risk, allthough it won't be gone completely. Regards, Victor |
|
From: Pieter V. <pv...@ab...> - 2005-08-05 10:20:21
|
OK, so in both cases it's a userland app. I checked the processor load and memory load in both scenarios. There seems to be no big difference. I was wondering what the actual difference between inline drop and flex-response is? As I understood it well in both scenarios the connections is closed so no packets will traverse to the network only with flex-response the first and maybe a small number of packets will be send to the network as with snort-inline no packets will reach the network as snort flex-response is actually a copy of the packet send to the network diverted to userland. I also experienced some downsides with snort-inline : - adding an extra rule to iptables requires a hup to snort-inline to allow packets to traverse ( imagine an ssh session in which a firewall rule was added ; ok solution is not to let ssh traverse inline for ssh) - access to the machine is not possible untill snort-inline is started - suppose snort-inline crashes for some mysterious reason ( example due high load and high memory usage) no traffic will be possible, same example with ssh which can also be solved by not sending ssh through inline. However not sending some traffic though snort)inline seems as clumbsy solution to me. Is there another solutions to these problems? kind regards, Pieter Nick Rogness wrote: >>I tested it with ICMP rules so no sync present ;) >> >>Ok, so I better send all traffic through snort-inline. >>But then I get a higher load due to kernel- userland transits. >> >> > > Because snort & snort_inline are userland apps, there is no way to >avoid the kernel-userland overhead. There are ways to reduce it, but >not eliminate the basic fact that snort resides in userland. > >One would have to move snort into a kernel module to avoid this. I don't >know if there is a project underway to accomplish this, but most people >say it is not a good idea. I think, if it does happen, it moves from >being a software tool to a "network appliance". > > > >>So I'm searching for an alternative way of performing IPS with snort. I >>checked the snort docs again and found some alert target rules, i.e. >>react and resp post detection rule options, also allow blocking by snort >>(i.e. IPS funcitonality). Using these statements allow using snort >>normally. Are there any other ways to perform IPS with snort? >> >> >> > > The best (current) way to implement IPS with snort is snort_inline. >There are several reasons for this (IMHO): > > 1) Snort_inline is "inline" with the traffic instead of being a post >processor engine. This gives you the ability to react to packets and >insure they are not accidentally missed. Packets could leak into your >network with regular snort if you are not careful. > > 2) Flex-Response does give you some similar functionality as >snort_inline, but it is not the same thing. > > 3) You can do some interesting things with snort_inline that are not >possible with snort, because traffic is not inline, such as altering >traffic, etc. > > 4) snort_inline is being actively developed and maintained as an IPS. >snort_inline is ment to function as an IPS, snort is ment to function >as an IDS. > > > >>What are the pros and contras of using snort-inline and using snort >>normally with the react and resp detection rules? The docs already >>indicate that react and resp rules will not be usefull for UDP traffic. >> >> > > The difference is snort is reading from the ethernet and snort_inline >from a higher layer, i.e. It is all relative to what you are trying to >accomplish. In some cases,snort will be better and in other cases >snort_inline will be better. > > Regular snort sees all traffic, regardless of whether it needs to or >not. With snort_inline, selective traffic can be inspected via the >firewall. > > Just my opinion. >Nick Rogness <ni...@ro...> > > > > -- NEW: aXs GUARD hands-on Trainings v.7.0 more info at http://www.axsguard.com/indextraining.htm aXs GUARD has completed security and anti-virus checks on this e-mail (http://www.axsguard.com) --------------------------------------------------- Able NV: ond.nr 0457.938.087 |
|
From: Bert v. L. <ber...@gm...> - 2005-08-05 06:51:57
|
Silly question, but: I assume you are using an iptables rule such as "iptables -A FORWARD -j QUEUE", and running snort with -Q (to listen to the IP queue)? > On 8/4/05, Geoffrey Levy [Freedom Computers] <gl...@fr...> = wrote: > > Thanks for the fast email... I am having a little snag with the bridge > > setup. I get packets when I am sending traffic to my eth0 but when I pu= t > > the bridge inline on my network (wich consists of eth1 and eth2) I cant > > pick up any traffic with snortinline. Now my first thought was to look > > at EBtables but everything looks good their. Any ideas? |
|
From: Will M. <wil...@gm...> - 2005-08-05 04:13:03
|
What kernel version are you using? 2.6.x or 2.4.x? On 8/4/05, Geoffrey Levy [Freedom Computers] <gl...@fr...> wr= ote: > Thanks for the fast email... I am having a little snag with the bridge > setup. I get packets when I am sending traffic to my eth0 but when I put > the bridge inline on my network (wich consists of eth1 and eth2) I cant > pick up any traffic with snortinline. Now my first thought was to look > at EBtables but everything looks good their. Any ideas? >=20 > -- > Freedom Computers; > Geoffrey D. Levy, GCIA > gl...@fr... > www.freedomcomputers.ca > Phone: (403)710-7147 > Fax: (403)251-4517 >=20 >=20 >=20 > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.338 / Virus Database: 267.9.9/62 - Release Date: 8/2/2005 >=20 >=20 >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Geoffrey L. [F. C. <gl...@fr...> - 2005-08-05 03:07:28
|
Thanks for the fast email... I am having a little snag with the bridge setup. I get packets when I am sending traffic to my eth0 but when I put the bridge inline on my network (wich consists of eth1 and eth2) I cant pick up any traffic with snortinline. Now my first thought was to look at EBtables but everything looks good their. Any ideas? -- Freedom Computers; Geoffrey D. Levy, GCIA gl...@fr... www.freedomcomputers.ca Phone: (403)710-7147 Fax: (403)251-4517 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.9.9/62 - Release Date: 8/2/2005 |
|
From: Will M. <wil...@gm...> - 2005-08-05 02:22:00
|
On 8/4/05, Geoffrey Levy [Freedom Computers] <gl...@fr...> wr= ote: > I am building a system that will use snort inline as well as log all > alerts to a database. I read in the README.inline that if you want to > use your machine as an IPS as well as IDP you should use two snort > instances with seperate rules? I am not sure if I am reading this > correctly... what would be the problem with using snortinline to drop > packets as well as send alerts for the intrusion analyst? There is no problem, there are three rule types that apply to inline mode. drop,sdrop,reject drop will alert and drop the packet sdrop will not alert and drop the packet reject will alert and send a reset and drop the packet I think the idea behind using a drop.rules file is to save resources as snort is single threaded so logging can cost a lot, i.e. introduce latency. Not only that, but you don't want to just go out and convert all of you rules to drop. Just like an IDS an IPS needs to be tuned to elimnate false positives. With an IPS the stakes are higher because you could actually drop valid traffic if your not careful. > "Ideally, snort_inline will be run using only its own drop.rules. If > you want to use Snort for just alerting, a separate process should be > running with its own ruleset." >=20 > The above message says " If you want to use Snort for JUST alerting use > a separate process... what about alerting AND dropping. Maybe this is a > typo? I would hate to have to use two rule sets and two seperate > process's when I can use one. >=20 see above, drop rule=3Dalert + drop > Freedom Computers; > Geoffrey D. Levy > gl...@fr... > www.freedomcomputers.ca > Phone: (403)710-7147 > Fax: (403)251-4517 >=20 >=20 >=20 > -- > No virus found in this outgoing message. > Checked by AVG Anti-Virus. > Version: 7.0.338 / Virus Database: 267.9.9/62 - Release Date: 8/2/2005 >=20 >=20 >=20 >=20 > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practic= es > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q= A > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Geoffrey L. [F. C. <gl...@fr...> - 2005-08-05 01:14:59
|
I am building a system that will use snort inline as well as log all alerts to a database. I read in the README.inline that if you want to use your machine as an IPS as well as IDP you should use two snort instances with seperate rules? I am not sure if I am reading this correctly... what would be the problem with using snortinline to drop packets as well as send alerts for the intrusion analyst? "Ideally, snort_inline will be run using only its own drop.rules. If you want to use Snort for just alerting, a separate process should be running with its own ruleset." The above message says " If you want to use Snort for JUST alerting use a separate process... what about alerting AND dropping. Maybe this is a typo? I would hate to have to use two rule sets and two seperate process's when I can use one. Thanks -- Freedom Computers; Geoffrey D. Levy gl...@fr... www.freedomcomputers.ca Phone: (403)710-7147 Fax: (403)251-4517 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.9.9/62 - Release Date: 8/2/2005 |
|
From: Nick R. <ni...@ro...> - 2005-08-04 04:52:19
|
>
> I tested it with ICMP rules so no sync present ;)
>
> Ok, so I better send all traffic through snort-inline.
> But then I get a higher load due to kernel- userland transits.
Because snort & snort_inline are userland apps, there is no way to
avoid the kernel-userland overhead. There are ways to reduce it, but
not eliminate the basic fact that snort resides in userland.
One would have to move snort into a kernel module to avoid this. I don't
know if there is a project underway to accomplish this, but most people
say it is not a good idea. I think, if it does happen, it moves from
being a software tool to a "network appliance".
>
> So I'm searching for an alternative way of performing IPS with snort. I
> checked the snort docs again and found some alert target rules, i.e.
> react and resp post detection rule options, also allow blocking by snort
> (i.e. IPS funcitonality). Using these statements allow using snort
> normally. Are there any other ways to perform IPS with snort?
>
The best (current) way to implement IPS with snort is snort_inline.
There are several reasons for this (IMHO):
1) Snort_inline is "inline" with the traffic instead of being a post
processor engine. This gives you the ability to react to packets and
insure they are not accidentally missed. Packets could leak into your
network with regular snort if you are not careful.
2) Flex-Response does give you some similar functionality as
snort_inline, but it is not the same thing.
3) You can do some interesting things with snort_inline that are not
possible with snort, because traffic is not inline, such as altering
traffic, etc.
4) snort_inline is being actively developed and maintained as an IPS.
snort_inline is ment to function as an IPS, snort is ment to function
as an IDS.
> What are the pros and contras of using snort-inline and using snort
> normally with the react and resp detection rules? The docs already
> indicate that react and resp rules will not be usefull for UDP traffic.
The difference is snort is reading from the ethernet and snort_inline
from a higher layer, i.e. It is all relative to what you are trying to
accomplish. In some cases,snort will be better and in other cases
snort_inline will be better.
Regular snort sees all traffic, regardless of whether it needs to or
not. With snort_inline, selective traffic can be inspected via the
firewall.
Just my opinion.
Nick Rogness <ni...@ro...>
|
|
From: Nathan L. <na...@iw...> - 2005-08-04 01:44:51
|
I'm looking for a multi-port etherent card that can support bridging. Anyone know of such a beast? |
133 messages has been excluded from this view by a project administrator.
