snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] Preprocessors and states

[Pieter V. <pv...@ab...>]

>No it is not a good idea, you need to send RELATED,ESTABLISHED traffic
>as well. State NEW is only valid for the first packet in a connection.
> Your going to miss a lot of traffic, actually there really shouldn't
>be data in your first syn so the only reason sneeze worked is because
>you did not use the --syn flag along with your state NEW rule in
>iptables, or you are not passing enforce_state to stream4
>
>Regards,
>
>Will
>
>  
>

I tested it with ICMP rules so no sync present ;)

Ok, so I better send all traffic through snort-inline.
But then I get a higher load due to kernel- userland transits.

So I'm searching for an alternative way of performing IPS with snort. I 
checked the snort docs again and found some alert target rules, i.e. 
react and resp post detection rule options, also allow blocking by snort 
(i.e. IPS funcitonality). Using these statements allow using snort 
normally.  Are there any other ways to perform IPS with snort?

What are the pros and contras of using snort-inline and using snort 
normally with the react and resp detection rules? The docs already 
indicate that react and resp rules will not be usefull for UDP traffic.

kind regards,
Pieter
Able

--
NEW: aXs GUARD hands-on Trainings v.7.0 
more info at http://www.axsguard.com/indextraining.htm

aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087

Re: [Snort-inline-users] Preprocessors and states

[Victor J. <vi...@nk...>]

> So basicly my question is are the preprocessors still working when only 
> new packets are checked and is it a good idea to only check new packets?

No, because one of the things snort and snort_inline do is check the 
payload of your connections against the signatures of known attacks. The 
syn-packet in a tcp connection will have no data, or just a very limited 
ammount when compared to the entire connection. So i would very highly 
recommend you to send all packets of a connection to snort_inline.

Regards,
Victor

Re: [Snort-inline-users] Preprocessors and states

[Will M. <wil...@gm...>]

> But what about detection and state? As I understood it the preprocessors
> allow tracking state for IP, TCP,.. by keeping a cache for a certain
> period. And also I suppose some rules match with specific strings not
> necesseraly in the first packet of a connection?

yeah this is true

> I suppose the defragmentation checks are unneccesary as iptables will
> execute defragmentation before it is checked by its own rules. Or is
> this not true?

As long as you are tracking state.....


> So basicly my question is are the preprocessors still working when only
> new packets are checked and is it a good idea to only check new packets?

No it is not a good idea, you need to send RELATED,ESTABLISHED traffic
as well. State NEW is only valid for the first packet in a connection.
 Your going to miss a lot of traffic, actually there really shouldn't
be data in your first syn so the only reason sneeze worked is because
you did not use the --syn flag along with your state NEW rule in
iptables, or you are not passing enforce_state to stream4

Regards,

Will

[Snort-inline-users] Preprocessors and states

[Pieter V. <pv...@ab...>]

Hi,

Thanks for all helpful info. I've got snort up and running in inline 
mode, tested it with sneeze and all seems to work.

But I still  got a question : currently only packets with state new 
(only for INPUT and FORWARD not for OUTPUT) which are accepted by 
iptables are send to snort_inline in my setup

But what about detection and state? As I understood it the preprocessors 
allow tracking state for IP, TCP,.. by keeping a cache for a certain 
period. And also I suppose some rules match with specific strings not 
necesseraly in the first packet of a connection?

I suppose the defragmentation checks are unneccesary as iptables will 
execute defragmentation before it is checked by its own rules. Or is 
this not true?


So basicly my question is are the preprocessors still working when only 
new packets are checked and is it a good idea to only check new packets?


kind regards,
Pieter
Able


-- 
Pieter Vanmeerbeek
R&D Engineer
---------------------------------------------------
Able N.V.                    Tel: +32(0)15 50.44.00
Dellingstraat 28b            Fax: +32(0)15.50.44.09
B-2800 Mechelen
http://www.axsguard.com     http://www.doITsafe.net

    aXs GUARD - internet communication appliance
---------------------------------------------------

--
NEW: aXs GUARD hands-on Trainings v.7.0 
more info at http://www.axsguard.com/indextraining.htm

aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087

Re: [Snort-inline-users] Snort_inline and POP3 loop

[Eric S. <eri...@uo...>]

> I don't think you should be using snort+clam or snort rules in general
> to filter out malicous attachments in mail.  There far better
> solutions for this that live on your mail gateway.  If you want to use
> Clam against your mail server take a look at the clamav-milter.

I understand. In fact I'm trying to reproduce here the same approach used=
 by Sonicwall GAV solution. I'm doing some tests with my own libipq "modu=
le" trying to catch virus "inline" in each packet. 
I already know that there's a lot of problems with this aproach like zip,=
 virus splited, etc. But the idea would be reduce the amount of malware b=
efore they hit the internal network, email gateways, etc. 
Since it's basicaly the same idea of snort-inline I thought that maybe we=
 could exchange some experiences. Like, what if instead of store username=
/pass, etc we just store the msg number, try to "spoof" the connection an=
d send the DELE <num>, all of this changing the headers + payload. Anybod=
y have any comment? Please, as I said, these are just ideas, feel free to=
 say if they are too much stupid. ;-)

[]s

Eric Scopinho

Re:[Snort-inline-users] snort-clamav

[Eric S. <eri...@uo...>]

> Hello!
> 
> I have problem with snort-clamav. Does not works... :(
> I think, all configuration procedure is right (and it seems, that it's =

> work -> no error message), but when i copy any virus ex. on FTP 
> protocoll, snort does not generate alert.
> 
> I use Snort 2.3.3 + snort-inline + barnyard + sguil mysql backend

Are you using eicar virus in your test? If this is true, u must change th=
e clamav signature, because it expects the eicar signature in the beginni=
ng of the file. And this is not true, since the packet has some headers b=
efore it.

Regards,

Eric Scopinho

Re: [Snort-inline-users] Snort_inline and POP3 loop

[Will M. <wil...@gm...>]

I don't think you should be using snort+clam or snort rules in general
to filter out malicous attachments in mail.  There far better
solutions for this that live on your mail gateway.  If you want to use
Clam against your mail server take a look at the clamav-milter.

Regards,

Will

On 7/29/05, Eric Scopinho <eri...@uo...> wrote:
> Hi, maybe this is a silly question, but lets say I have a rule for POP3
> blocking a malware (it can be a normal rule or using ClamAV preprocessor)=
.
> When an internal user try to download the message, the packet wich
> contain the malware will be drop (NF_DROP I guess).
> But since the email is still in his mailbox, this will not stay in
> looping and the user will be unable of downloading the other messages
> until someone remove the email from his mbox?
> If the above is true, is there some way of intercept 'trasnparently' the
> packet and send a DELE msg to the POP3 Server? Maybe changing the
> payload/saddr/daddr, etc of this packet using libipq?
>=20
> Regards,
>=20
> Eric Scopinho
>=20
>=20
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO Septem=
ber
> 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Snort_inline and POP3 loop

[Jason <sec...@br...>]

Eric Scopinho wrote:
> Hi, maybe this is a silly question, but lets say I have a rule for POP3 
> blocking a malware (it can be a normal rule or using ClamAV preprocessor).
> When an internal user try to download the message, the packet wich 
> contain the malware will be drop (NF_DROP I guess).
> But since the email is still in his mailbox, this will not stay in 
> looping and the user will be unable of downloading the other messages 
> until someone remove the email from his mbox?
> If the above is true, is there some way of intercept 'trasnparently' the 
> packet and send a DELE msg to the POP3 Server? Maybe changing the 
> payload/saddr/daddr, etc of this packet using libipq?
> 

There are three options really.

1) write a preprocessor to handle this.
2) use replace instead of drop to render the malware ineffective
3) Catch the mail on the SMTP side and force the other mail server / 
malware sender to deal with it.

[Snort-inline-users] snort-clamav

[<tam...@as...>]

Hello!

I have problem with snort-clamav. Does not works... :(
I think, all configuration procedure is right (and it seems, that it's 
work -> no error message), but when i copy any virus ex. on FTP 
protocoll, snort does not generate alert.

I use Snort 2.3.3 + snort-inline + barnyard + sguil mysql backend

snort.conf
---------------
preprocessor clamav: ports all, dbdir /var/lib/clamav, dbreload-time 
43200, file-descriptor-mode

Has anybody idee?

Best regards,
Thomas

[Fwd: Re: [Snort-inline-users] Snort_inline and POP3 loop]

[Nick R. <ni...@ro...>]

Forgot to reply to list.

---------------------------- Original Message ----------------------------
Subject: Re: [Snort-inline-users] Snort_inline and POP3 loop
From:    "Nick Rogness" <ni...@ro...>
Date:    Sun, July 31, 2005 6:26 pm
To:      "Eric Scopinho" <eri...@uo...>
--------------------------------------------------------------------------


> Hi, maybe this is a silly question, but lets say I have a rule for POP3
blocking a malware (it can be a normal rule or using ClamAV
preprocessor). When an internal user try to download the message, the
packet wich contain the malware will be drop (NF_DROP I guess).
> But since the email is still in his mailbox, this will not stay in
looping and the user will be unable of downloading the other messages
until someone remove the email from his mbox?
> If the above is true, is there some way of intercept 'trasnparently' the
packet and send a DELE msg to the POP3 Server? Maybe changing the
payload/saddr/daddr, etc of this packet using libipq?
>

   There is no way, that I know of, that this can be done without serious
effort.  It is "probably" possible with some form of a POP3/IMAP
preprocessor.

For now, you could just REJECT,log connections where this happens, watch
the logfile with some sort of parser, POP3-login as the user and send the
DEL command with the message number (if you new it).

Nick Rogness <ni...@ro...>




Nick Rogness <ni...@ro...>

Re: [Snort-inline-users] snort 2.4 and IPS rule set

[Will M. <wil...@gm...>]

use oinkmaster, in your oinkmaster.conf enter the following line....

modifysid * "^alert" | "drop"

execute oinkmaster.pl

Wash... Rinse.... Repeat

Regards,

Will

On 8/1/05, Pieter Vanmeerbeek <pv...@ab...> wrote:
> Hi,
>=20
> I was wondering if somewhere an IPS rule set exists, i.e. with
> drop/reject actions instead of alert actions?
> The only rulesets I can find are IDS or standard snort rulesets.
>=20
> I also found a snortconverter script (snortconfig) but this script
> doesn't seem to take multiline rules into account an can only set an
> action to a specific other actions instead of something like change all
> alerts to drop rules.
>=20
> Does anyone now where to find such information?
>=20
> kind regards,
> Pieter
> Able
> --
> NEW: aXs GUARD hands-on Trainings v.7.0
> more info at http://www.axsguard.com/indextraining.htm
>=20
> aXs GUARD has completed security and anti-virus checks on this e-mail
> (http://www.axsguard.com)
> ---------------------------------------------------
> Able NV: ond.nr 0457.938.087
>=20
>=20
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclic=
k
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] snort 2.4 and IPS rule set

[Pieter V. <pv...@ab...>]

Hi,

I was wondering if somewhere an IPS rule set exists, i.e. with 
drop/reject actions instead of alert actions?
The only rulesets I can find are IDS or standard snort rulesets.

I also found a snortconverter script (snortconfig) but this script 
doesn't seem to take multiline rules into account an can only set an 
action to a specific other actions instead of something like change all 
alerts to drop rules.

Does anyone now where to find such information?

kind regards,
Pieter
Able
--
NEW: aXs GUARD hands-on Trainings v.7.0 
more info at http://www.axsguard.com/indextraining.htm

aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087

Re: [Snort-inline-users] snort -2.3.3 and libnet 1.1.X

[Victor J. <vi...@nk...>]

Pieter Vanmeerbeek wrote:
> Hi,
> 
> I've got a question on compiling snort.
> 
> Snort 2.3.3 apparently needs libnet version 1.0.x.
> However libnet 's current versions are 1.1.x. This is also the version 
> of libnet used my server by other programs.
> 
> Snort 's configure script however checks explicitly for version 1.0.X.
> Is this done on purpose or is it something left behind of an older snort 
> version?
> 

IIRC snort_inline uses libnet 1.0 because snort's flexresp also uses it. 
Both snort and snort_inline are moving to libdnet now, so soon this 
libnet 1.0 stuff should be a thing of the past.

Regards,
Victor

[Snort-inline-users] snort -2.3.3 and libnet 1.1.X

[Pieter V. <pv...@ab...>]

Hi,

I've got a question on compiling snort.

Snort 2.3.3 apparently needs libnet version 1.0.x.
However libnet 's current versions are 1.1.x. This is also the version 
of libnet used my server by other programs.

Snort 's configure script however checks explicitly for version 1.0.X.
Is this done on purpose or is it something left behind of an older snort 
version?

Kind regards,
Pieter

--
NEW: aXs GUARD hands-on Trainings v.7.0 
more info at http://www.axsguard.com/indextraining.htm

aXs GUARD has completed security and anti-virus checks on this e-mail
(http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087

[Snort-inline-users] Snort_inline and POP3 loop

[Eric S. <eri...@uo...>]

Hi, maybe this is a silly question, but lets say I have a rule for POP3 
blocking a malware (it can be a normal rule or using ClamAV preprocessor).
When an internal user try to download the message, the packet wich 
contain the malware will be drop (NF_DROP I guess).
But since the email is still in his mailbox, this will not stay in 
looping and the user will be unable of downloading the other messages 
until someone remove the email from his mbox?
If the above is true, is there some way of intercept 'trasnparently' the 
packet and send a DELE msg to the POP3 Server? Maybe changing the 
payload/saddr/daddr, etc of this packet using libipq?

Regards,

Eric Scopinho

Re: [Snort-inline-users] ALERTFLUSHSTREAM: adjusted base_seq.

[Will M. <wil...@gm...>]

Ok, so fatal error is due having DEBUG enabled along with s4inline.=20
When debug is enabled there is a check that is done in bounds.h that
if SafeMemcpy fails, it kills your snort process.

The SafeMemcpy fails during reassembly due to the fact that you are
recieving in-window out of sequence packets.

We use the sequence number in each packet to determine where in memory
to copy the packet payload into our larger reassembled buffer.   If
the sequence number is off by 10000 or something, the buffer gets
corrupted and when we reset the base_seq number everything goes south
from there.

It is very hard to implement stream reassembly when you cannot verify
the validity of a packet within an established connection.

This is the issue that Victor and I are trying to resolve right now.=20
We have only noticed it on bridged connections. When running in NAT
mode packets are put in there proper order before they reach the QUEUE
target.

If you are running stream4inline+bridgemode, I would suggest disabling
until we get the new stream4inline written.

Regards,

Will

On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote:
> Bridge mode.
>=20
> On 7/27/05, Will Metcalf <wil...@gm...> wrote:
> > Are you running in bridge or NAT mode?
> >
> > Regards,
> >
> > Will
> >
> > On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote:
> > > I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patche=
d
> > > to it.  Recently, snort-inline runs a while and then it dies without
> > > any real indication why except I see about 60 "ALERTFLUSHSTREAM:
> > > adjusted base_seq" messages on the screen.  I looked at the code and
> > > this seems to be a stream4inline feature.  My preprocessor line in my
> > > conf file looks like this:
> > >
> > > preprocessor stream4: timeout 30, memcap 67108864,
> > > disable_evation_alerts, stream4linline, truncate
> > > preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25
> > > 53 80 143 110 111
> > >
> > > Any clues what might be causing snort to die like that?
> > >
> > > -Adrian
> > >
> > >
> > > -------------------------------------------------------
> > > SF.Net email is Sponsored by the Better Software Conference & EXPO Se=
ptember
> > > 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> > > Agile & Plan-Driven Development * Managing Projects & Teams * Testing=
 & QA
> > > Security * Process Improvement & Measurement * http://www.sqe.com/bsc=
e5sf
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > >
> >
>=20
>=20
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO Septem=
ber
> 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] ALERTFLUSHSTREAM: adjusted base_seq.

[Adrian S. <soo...@gm...>]

It seems to be segfaulting when it dies.

On 7/27/05, Will Metcalf <wil...@gm...> wrote:
> Are you running in bridge or NAT mode?
>=20
> Regards,
>=20
> Will
>=20
> On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote:
> > I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patched
> > to it.  Recently, snort-inline runs a while and then it dies without
> > any real indication why except I see about 60 "ALERTFLUSHSTREAM:
> > adjusted base_seq" messages on the screen.  I looked at the code and
> > this seems to be a stream4inline feature.  My preprocessor line in my
> > conf file looks like this:
> >
> > preprocessor stream4: timeout 30, memcap 67108864,
> > disable_evation_alerts, stream4linline, truncate
> > preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25
> > 53 80 143 110 111
> >
> > Any clues what might be causing snort to die like that?
> >
> > -Adrian
> >
> >
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO Sept=
ember
> > 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> > Agile & Plan-Driven Development * Managing Projects & Teams * Testing &=
 QA
> > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5=
sf
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>

Re: [Snort-inline-users] ALERTFLUSHSTREAM: adjusted base_seq.

[Adrian S. <soo...@gm...>]

Bridge mode.

On 7/27/05, Will Metcalf <wil...@gm...> wrote:
> Are you running in bridge or NAT mode?
>=20
> Regards,
>=20
> Will
>=20
> On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote:
> > I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patched
> > to it.  Recently, snort-inline runs a while and then it dies without
> > any real indication why except I see about 60 "ALERTFLUSHSTREAM:
> > adjusted base_seq" messages on the screen.  I looked at the code and
> > this seems to be a stream4inline feature.  My preprocessor line in my
> > conf file looks like this:
> >
> > preprocessor stream4: timeout 30, memcap 67108864,
> > disable_evation_alerts, stream4linline, truncate
> > preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25
> > 53 80 143 110 111
> >
> > Any clues what might be causing snort to die like that?
> >
> > -Adrian
> >
> >
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO Sept=
ember
> > 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> > Agile & Plan-Driven Development * Managing Projects & Teams * Testing &=
 QA
> > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5=
sf
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >
>

Re: [Snort-inline-users] ALERTFLUSHSTREAM: adjusted base_seq.

[Will M. <wil...@gm...>]

Are you running in bridge or NAT mode?

Regards,

Will

On 7/27/05, Adrian Soogemackelyk <soo...@gm...> wrote:
> I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patched
> to it.  Recently, snort-inline runs a while and then it dies without
> any real indication why except I see about 60 "ALERTFLUSHSTREAM:
> adjusted base_seq" messages on the screen.  I looked at the code and
> this seems to be a stream4inline feature.  My preprocessor line in my
> conf file looks like this:
>=20
> preprocessor stream4: timeout 30, memcap 67108864,
> disable_evation_alerts, stream4linline, truncate
> preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25
> 53 80 143 110 111
>=20
> Any clues what might be causing snort to die like that?
>=20
> -Adrian
>=20
>=20
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO Septem=
ber
> 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & Q=
A
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] ALERTFLUSHSTREAM: adjusted base_seq.

[Adrian S. <soo...@gm...>]

I have a snort-inline box with the Snort-inline-2.3.0-RC1.diff patched
to it.  Recently, snort-inline runs a while and then it dies without
any real indication why except I see about 60 "ALERTFLUSHSTREAM:
adjusted base_seq" messages on the screen.  I looked at the code and
this seems to be a stream4inline feature.  My preprocessor line in my
conf file looks like this:

preprocessor stream4: timeout 30, memcap 67108864,
disable_evation_alerts, stream4linline, truncate
preprocessor stream4_reassemble: clientonly, noalerts, ports 21 23 25
53 80 143 110 111

Any clues what might be causing snort to die like that?

-Adrian

[Snort-inline-users] the diff

[Will M. <wil...@gm...>]

The diff:

https://sourceforge.net/tracker/index.php?func=3Ddetail&aid=3D1244677&group=
_id=3D78497&atid=3D553469

More info:

Basically Bait-And-Switch works like this

snort starts up and saves current iptables rules to
/var/log/snort/iptables-rules

normal packet p enters snort and is run through the
spp_bait_and_switch preprocessor.  There is of course no match in our
reroute table so it goes through the detection engine, no rules are
matched and it continues to it's original destination.

malicious packet p enters snort is run through the spp_bait_and_switch
preprocessor we as yet don't have a match so it continues to the
detection engine. At this point it matches a rule for which we have
setup a bait-and-switch plugin (sp_bait_and_switch.c) in which we call
AddIpToRerouteTree in spp_bait_and_switch.c to reroute the source to
ip address "thehoneypotip" for 600 seconds.

At this point we use input from the rule to create a set of rules to
add SNAT/DNAT rules to iptables, we also store the set of rules to
delete the SNAT/DNAT rules we created once we reach a timeout.

Iptables sends retransmissions and already established connections to
there original destination instead of abiding by any SNAT/DNAT rules
added after the connection is established.  To compensate for this we
send a reset to tear down the connection which triggered the rule.

All subsequent packets sent to and from the original attacked ip are
sent to our honeypot, as long as we have not passed our timeout.

As soon as snort exits, iptables-resore is called to restore the rules
from /var/log/snort/iptables-rules.

I have yet to get the alerting of rerouted packets working.  What this
means is that if we match a rerouted packet we set do_detect and
p->preprocessors to 0;

[Snort-inline-users] Bait-and-Switch

[Will M. <wil...@gm...>]

List,

Here is a patch for bait-and-switch, actually it is a patch for the
yet unreleased snort_inline-2.3.3 minus stream4inline as Victor and I
are currently violently reworking it.  The only caveat to getting this
built, is that you must have libdnet installed as this is what we are
now using for InlineReject().  We moved to this, because this is the
way that sourcefire is going.

Let me know what you guy's think..... If I'm wasting my time, you
don't think you will have a use for it, whatever......  Either way,
beat it up and let me know......

Regards,

Will


from doc/README.INLINE.....

BAIT-AND-SWITCH:

Hmmm this started out as a neat parlor trick hopefully it will be
useful to someone as I wrote it in about two day's. Basically we use
iptables PREROUTING/POSTROUTING chains and corresponding SNAT/DNAT
rules to simulate full NAT and trick our attacker into thinking he is
hacking away at one box when really he is
attacking another.

BAIT-AND-SWITCH OPTIONS:

max_entries (int)
  Maximum amount of attacker entries allowed to be stored in the
splaytree, yeah I know all the cool kids
  are using hash tables these days. I'll get there someday......

log (optional log file name)
   It does what it say's logs packets rerouted by our preproc and
has crappy logging for reroute additions.

BAIT-AND-SWITCH-IGNOREHOSTS:

List of networks not to add to our reroute tree ever, you probably
want to add your HOME_NET networks here as not to DoS yourself.

example:
preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24

BAIT-AND-SWITCH KEYWORD:

On to the rule language stuff, this keyword relies on the
bait-and-switch preprocessor.

bait-and-switch:(reroute time in seconds,direction,honeypotip)

so lets say we have a drop rule

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
repost.asp access"; flow:to_server,established;
uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372;
classtype:web-application-activity; sid:1076; rev:6;)

Now let's say that if this rule fires, we want to reroute all traffic
from the attacker for the next 10 minutes to a honeypot(192.168.1.1)
we would add the following rule.

drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
repost.asp access"; flow:to_server,established;
uricontent:"/scripts/repost.asp"; nocase;
bait-and-switch:600,src,192.168.1.1; reference:nessus,10372;
classtype:web-application-activity; sid:1076; rev:6;)

We end up with DNAT/SNAT tables looking something like this

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       all  --  attacker.ip          attacked.ip    to:honeypot.ip

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  honeypot.ip          attacker.ip    to:attacked.ip

from etc/snort_inline.conf......

# bait-and-switch: Attempt to do stealthy reroutes of an attacker to a
honeypot for x number of seconds
# -------------------------------------------------------------------------=
---------
# For use in rule language
# reroute packets from attackers for x number of seconds because we
don't like them messing with
# our stuff.
#
# In the example below the first line tells bait-and-switch a max
amount of entries for memory allocation
# In addition the first line tells bait-and-switch to log droped
packets to the snort log dir #bands.log
#
#
# The second line tells which sources to never reroute it is very,
very important to add your #home net
# and you dns servers to this list.
#
#example:
#preprocessor bait-and-switch: max_entries 200,log
#preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24

[Snort-inline-users] md5sum

[Will M. <wil...@gm...>]

cc3138354e58844cea46dbe42853e568=20
snort_inline-2.3.3-RC4-no-s4inline-bands.diff.bz2

Re: [Snort-inline-users] Snort-Inline Documentation

[Roland T. (SourceForge) <raz...@co...>]

Cody Decker said:


> Snort in inline mode. I have successfully setup Snort before; however,
> I  have not had the inline mode to work successfully. Specifically, I'm
> wanting  to drop port scans. I know how to create the rules to drop
> port scans;  however, I don't know how to use/install/configure the
> inline mode in order  for it to tell iptables to drop particular
> packets.


Have you read doc/README.INLINE?


- Raz

[Snort-inline-users] Snort-Inline Documentation

[Cody D. <cod...@gm...>]

Hello, All.
 Given I have some experience in the networking field but my knowledge of=
=20
Linux is amateurish at best---
 I have a linux computer (Slackware 10.1) running kernel 2.4.29. The=20
computer has two NICs: eth0 and eth1. eth0 is the internal NIC which is=20
connect to my switch and eth1 is the external (WAN) NIC connected to my=20
cable modem.
 The linux computer acts as a firewall/router/NAT device for the home LAN.
 Currently, the network is performing as expected. I would like to setup=20
Snort in inline mode. I have successfully setup Snort before; however, I=20
have not had the inline mode to work successfully. Specifically, I'm wantin=
g=20
to drop port scans. I know how to create the rules to drop port scans;=20
however, I don't know how to use/install/configure the inline mode in order=
=20
for it to tell iptables to drop particular packets.
 If someone could point in the right direction with documentation,=20
resources, etc., it would be greatly appreciated.
 Thank you!
Cody