snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: [Snort-inline-users] IDS and IPS in one box?

[Earl <uno...@ya...>]

In addition to Will's "nod" that it can be done... 

There are actually 2 instances of snort running along
*with* snort_inline on the currently available
Honeywall CDROM.

o Snort_Inline - used for Data Control
o (1) Snort instance monitors the internal (Honeypot
side) interface and reports fast/full
o (1) Snort instance to produce full packet pcap logs
of all traffic traversing the internal Honeywall
interface

Earl

--- Will Metcalf <wil...@gm...> wrote:

> You can do this without a problem.
> 
> Regards,
> 
> Will
> On Fri, 12 Nov 2004 18:44:00 -0500, mdpeters
> <mic...@la...> wrote:
> > 
> > Can Snort be installed with Snort-inline on the
> same box? Any issues with
> > bridging Snort-inline and running the other
> interfaces as sensors?
> > 
> > Best regards,
> >  
> > Michael
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by: InterSystems
> CACHE
> FREE OODBMS DOWNLOAD - A multidimensional database
> that combines
> robust object and relational technologies, making it
> a perfect match
> for Java, C++,COM, XML, ODBC and JDBC.
> www.intersystems.com/match8
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
>
https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> 



		
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com 
 

[Snort-inline-users] Snort Inline 2.2.0

[mdpeters <mic...@la...>]

make[3]: *** [spo_alert_fast.o] Error 1
make[3]: Leaving directory =
`/home/mdpeters/snort_inline-2.2.0/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/mdpeters/snort_inline-2.2.0/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/mdpeters/snort_inline-2.2.0'
make: *** [all] Error 2

I am accustomed to building on Solaris systems. This is a Redhat 9, =
KERNEL_DIR=3D/usr/src/linux-2.4.20-8. The configuration goes without a =
hitch anyway I set it up. I still get the same error message above.

Any suggestions?

Best regards,

Michael

Re: [Snort-inline-users] Best front end?

[Will M. <wil...@gm...>]

If you just want to view alerts take a look at BASE

http://sourceforge.net/projects/secureideas/

Regards,

Will

On Sat, 13 Nov 2004 08:09:33 -0500, mdpeters
<mic...@la...> wrote:
> 
> I have used ACID in the past. What is the general consensus for a browser
> based Snort user front end that I could tweak or hire the programmer to
> tweak?
> 
> Best regards,
>  
> Michael

Re: [Snort-inline-users] IDS and IPS in one box?

[Will M. <wil...@gm...>]

You can do this without a problem.

Regards,

Will
On Fri, 12 Nov 2004 18:44:00 -0500, mdpeters
<mic...@la...> wrote:
> 
> Can Snort be installed with Snort-inline on the same box? Any issues with
> bridging Snort-inline and running the other interfaces as sensors?
> 
> Best regards,
>  
> Michael

[Snort-inline-users] Best front end?

[mdpeters <mic...@la...>]

I have used ACID in the past. What is the general consensus for a =
browser based Snort user front end that I could tweak or hire the =
programmer to tweak?

Best regards,

Michael

[Snort-inline-users] IDS and IPS in one box?

[mdpeters <mic...@la...>]

Can Snort be installed with Snort-inline on the same box? Any issues =
with bridging Snort-inline and running the other interfaces as sensors?

Best regards,

Michael

[Snort-inline-users] IDS and IPS in one box?

[mdpeters <mic...@la...>]

Is it possible to run both Snort sensors and Snort inline on one server?

Best regards,

Michael

[Snort-inline-users] Small mail proxy question

[Ben J. <be...@ma...>]

Hi All,
If running a snort inline in bridge mode=20
DslRouter---Eth0-Snortinline-eth1 lan
And there is a eth2 with 192.168.1.10 ip address anyone know of a way to fo=
rward all eth0 mail to a smtp proxy to scan for virus and then forward it?
And the same from internal network also forward it before it is being sent =
out?
--=20
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

Re: [Snort-inline-users] strange timeout - telnet/ssh/etc

[Victor J. <vi...@nk...>]

On Monday 08 November 2004 20:24, ka...@ez... wrote:
> Hi,
>
> Having a strange issue with telnet and ssh issues that I
> can't figure out. With snort_inline 2.1.x (2 and 3) I have
> it set with two simple rules in the FORWARD chain of QUEUE
> and ACCEPT. The only packets dropped are a few that are
> worm/virus related.
>
> The problem is this -- ssh and/or telnet sessions time out.
> You can make the connection, but if you leave it sit for
> about 30 seconds, it goes dead. If you try to reconnect -
> that works too, but in 30 seconds or so, same thing.

Your problem probably is the stream4 timeout. You can set it to a higher 
value, or use the IptState option. It was especially designed for this...

Regards,
Victor

> Help?
> Thanks
> Kat
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

Re: [Snort-inline-users] strange timeout - telnet/ssh/etc

[Mike W. <mwi...@lu...>]

There is a problem when using stream4 preprocessor and snort_inline. You could 
disable the stream4 preprocessor to get rid of the timeout problems. There 
was a patch released on this list that corrected the problem but I can't seem 
to find it at the moment. 

Regards,

- Mike

On Monday 08 November 2004 14:24, ka...@ez... wrote:
> Hi,
>
> Having a strange issue with telnet and ssh issues that I
> can't figure out. With snort_inline 2.1.x (2 and 3) I have
> it set with two simple rules in the FORWARD chain of QUEUE
> and ACCEPT. The only packets dropped are a few that are
> worm/virus related.
>
> The problem is this -- ssh and/or telnet sessions time out.
> You can make the connection, but if you leave it sit for
> about 30 seconds, it goes dead. If you try to reconnect -
> that works too, but in 30 seconds or so, same thing.
>
> Help?
> Thanks
> Kat
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

-- 
Mike Wisener, GCIA
Senior Information Security Analyst
LURHQ -- http://www.lurhq.com
mwi...@lu...

This E-mail and any of its contents may contain LURHQ proprietary information, 
which is privileged, confidential, or subject to copyright belonging to 
LURHQ. This E-mail is intended solely for the use of the individual or entity 
to which it is addressed. If you are not the intended recipient of this 
E-mail, you are hereby notified that any dissemination, distribution, 
copying, or action taken in relation to the contents of and attachments to 
this E-mail is strictly prohibited and may be unlawful. If you have received 
this E-mail in error, notify the sender immediately and permanently delete 
the original and any copy of this E-mail.

[Snort-inline-users] strange timeout - telnet/ssh/etc

[<ka...@ez...>]

Hi,

Having a strange issue with telnet and ssh issues that I
can't figure out. With snort_inline 2.1.x (2 and 3) I have
it set with two simple rules in the FORWARD chain of QUEUE
and ACCEPT. The only packets dropped are a few that are
worm/virus related.  

The problem is this -- ssh and/or telnet sessions time out.
You can make the connection, but if you leave it sit for
about 30 seconds, it goes dead. If you try to reconnect -
that works too, but in 30 seconds or so, same thing. 

Help?
Thanks
Kat

[Snort-inline-users] Just a quick question

[JimTuttle <tut...@mm...>]

I have rebuilt my snort to the latest version. And just a second ago I read
that snort-inline was part of the latest release. Can someone point me in
the direction of basic setup and configuration, just for snort-inline? My
snort is running perfectly.
 
Thanks for the assistance. 
 
Jim Tuttle
Tuttle Information Systems

[Snort-inline-users] Release of snort_inline-2.2.0a

[Will M. <wil...@gm...>]

List,

I'm releasing snort_inline-2.2.0a to fix the --disable-inline
configure option.  Thanks to Oden Eriksson of Mandrake for discovering
my mistake ;-).  Due to the overwhelming response I received from my
post regarding an ssl-decryption preproc, I will start work on this as
soon as Victor and I have finished up the sticky-drop and
stream4-inline preprocs.  I'm putting the finishing touches on
sticky-drop(memory allocation snafu and white list) now and it should
be included in snort_inline-2.3.

*sigh*  So much we want to do with snort_inline and so little free time.

Regards,

Will

http://snort-inline.sourceforge.net/download.html

Re: [Snort-inline-users] snortconfig problems

[Brian <bm...@sn...>]

On Thu, Oct 28, 2004 at 11:02:39PM +0000, Lefti C wrote:
> Can't locate Net/Snort/Parser/File.pm in @INC (@INC contains: 
> /usr/local/lib/perl5/5.8.3/i686-linux /usr/local/lib/perl5/5.8.3 
> /usr/local/lib/perl5/site_perl/5.8.3/i686-linux 
> /usr/local/lib/perl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl .) at 
> /etc/snort_inline/snortconfig-19/snortconfig line 178.
> BEGIN failed--compilation aborted at 
> /etc/snort_inline/snortconfig-19/snortconfig line 178.

You didn't install snortconfig, or the libraries it requires.

    perl Makefile.pl
    make
    make install

THEN run snortconfig.

Brian

Re: [Snort-inline-users] Snort_inline which version to use

[Tony C. <tc...@en...>]

On Thursday 28 October 2004 23:18, Will Metcalf wrote:
> Pawel,
>
> Off the top of my head I would say go with snort_inline-2.2.0 and
> snort-2.2.0, we actually added mysql support into 2.1.3 but added
> proper state tracking via stream4 and iptables marks in 2.2.0(see
> doc/README.INLINE).  As far as the preprocs go look at the default
> snort_inline.conf it should give you a good base config to start off
> with.  Don't really know any great articles on the subject of preprocs
> and rule language, but I would suggest that you take a look at the
> snort users manual http://www.snort.org/docs/snort_manual/ or pick up
> a copy of the syngress book SNORT 2.1 Intrusion Detection.  Hope this
> helps.....
>
> Completely off topic, would anybody like to see an ssl-decryption
> preproc?  Obviously you would only be able to decrypt traffic bound to
> servers for which you possess the private keys, in addition we would
> need figure out some way to securely store these key's in escrow. Just
> a thought Victor Julien and I have been kicking around.
>
> Regards,
>
> Will
>
> Regards,
>
> Will
>
> On Thu, 28 Oct 2004 19:27:33 -0500, Pawel Czarnota <pc...@ui...> wrote:
> > Hey all,
> > I am trying to decide which version of snort_inline to use on a
> > Honeywall. I need something that will work with Open Wall Linux and that
> > has all major bugs fixed (needs to be very secure). It also should have
> > mysql support. The Honeywall will act as a bridge. Which version would be
> > recommended? Also, which pre-processors should be enabled for use on an
> > actual Honeywall (At this point none of our members know anything about
> > the pre-processors and little about rules)? If someone can point me to
> > good online articles about these I'd appreciate it. Finally, should I
> > install the same version of snort that snort_inline will be, or are there
> > any advantages of using different versions for each one. Thanks
> >
> > Pawel Czarnota
> > ACM Honeynet Project Leader
> > http://cs.uic.edu/~pczarno1
> > University of Illinois at Chicago
>
> -------------------------------------------------------
> This Newsletter Sponsored by: Macrovision
> For reliable Linux application installations, use the industry's leading
> setup authoring tool, InstallShield X. Learn more and evaluate
> today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
Hey, count me in on this. I started on the SSL decryption a while ago but did 
not have the time to finish.

-Tony

Re: [Snort-inline-users] Snort_inline which version to use

[Jason <sec...@br...>]

Will Metcalf wrote:

> 
> Completely off topic, would anybody like to see an ssl-decryption
> preproc?  Obviously you would only be able to decrypt traffic bound to
> servers for which you possess the private keys, in addition we would
> need figure out some way to securely store these key's in escrow. Just
> a thought Victor Julien and I have been kicking around.
> 

If support is added I would love to see it tied into an SSL accelerator 
card. Using the accelerator could also provide the key escrow 
capabilities in hardware.

I used to be under the impression that you could not properly do SSL 
decryption however as intruvert unfortunately proved to me that is only 
the case with certain ciphers and anonymous SSL.

Re: [Snort-inline-users] snortconfig problems

[Will M. <wil...@gm...>]

Lefti C,

I personally use oinkmaster sooooo, ummmmm, 

 http://oinkmaster.sourceforge.net/

Just a thought from the error above, did you install the following?

http://www.shmoo.com/~bmc/software/snortconfig/Net-Snort-Parser-1.21.tar.gz

Regards,

Will


On Thu, 28 Oct 2004 23:02:39 +0000, Lefti C <lef...@ho...> wrote:
> Hi all,
> 
> I apologise if this is an issue that has come up before and been answered, I
> didn't stumble across it though.
> 
> The problem I am experiencing is with snortconfig.
> I am running snort_inline, (precompiled from the Honeynet toolkit) and the
> accompanying snortconfig v 1.8 to create my ruleset.
> 
> I have upgraded my perl package twice but I'm getting the same error.
> I am currently running perl-5.8.3.
> 
> The error I'm getting is the following:
> 
> Can't locate Net/Snort/Parser/File.pm in @INC (@INC contains:
> /usr/local/lib/perl5/5.8.3/i686-linux /usr/local/lib/perl5/5.8.3
> /usr/local/lib/perl5/site_perl/5.8.3/i686-linux
> /usr/local/lib/perl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl .) at
> /etc/snort_inline/snortconfig-19/snortconfig line 178.
> BEGIN failed--compilation aborted at
> /etc/snort_inline/snortconfig-19/snortconfig line 178.
> 
> Your help is greatly appreciated,
> 
> Kind Regards,
> 
> Lefti
> 
> -------------------------------------------------------
> This Newsletter Sponsored by: Macrovision
> For reliable Linux application installations, use the industry's leading
> setup authoring tool, InstallShield X. Learn more and evaluate
> today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: [Snort-inline-users] Snort_inline which version to use

[Will M. <wil...@gm...>]

Pawel,

Off the top of my head I would say go with snort_inline-2.2.0 and
snort-2.2.0, we actually added mysql support into 2.1.3 but added
proper state tracking via stream4 and iptables marks in 2.2.0(see
doc/README.INLINE).  As far as the preprocs go look at the default
snort_inline.conf it should give you a good base config to start off
with.  Don't really know any great articles on the subject of preprocs
and rule language, but I would suggest that you take a look at the
snort users manual http://www.snort.org/docs/snort_manual/ or pick up
a copy of the syngress book SNORT 2.1 Intrusion Detection.  Hope this
helps.....

Completely off topic, would anybody like to see an ssl-decryption
preproc?  Obviously you would only be able to decrypt traffic bound to
servers for which you possess the private keys, in addition we would
need figure out some way to securely store these key's in escrow. Just
a thought Victor Julien and I have been kicking around.

Regards,

Will

Regards,

Will


On Thu, 28 Oct 2004 19:27:33 -0500, Pawel Czarnota <pc...@ui...> wrote:
> 
> Hey all,
> I am trying to decide which version of snort_inline to use on a Honeywall. I
> need something that will work with Open Wall Linux and that has all major
> bugs fixed (needs to be very secure). It also should have mysql support. The
> Honeywall will act as a bridge. Which version would be recommended? Also,
> which pre-processors should be enabled for use on an actual Honeywall (At
> this point none of our members know anything about the pre-processors and
> little about rules)? If someone can point me to good online articles about
> these I'd appreciate it. Finally, should I install the same version of snort
> that snort_inline will be, or are there any advantages of using different
> versions for each one. Thanks
> 
> Pawel Czarnota
> ACM Honeynet Project Leader
> http://cs.uic.edu/~pczarno1
> University of Illinois at Chicago
>

[Snort-inline-users] Snort_inline which version to use

[Pawel C. <pc...@ui...>]

Hey all,
I am trying to decide which version of snort_inline to use on a =
Honeywall. I need something that will work with Open Wall Linux and that =
has all major bugs fixed (needs to be very secure). It also should have =
mysql support. The Honeywall will act as a bridge. Which version would =
be recommended? Also, which pre-processors should be enabled for use on =
an actual Honeywall (At this point none of our members know anything =
about the pre-processors and little about rules)? If someone can point =
me to good online articles about these I'd appreciate it. Finally, =
should I install the same version of snort that snort_inline will be, or =
are there any advantages of using different versions for each one. =
Thanks

Pawel Czarnota
ACM Honeynet Project Leader
http://cs.uic.edu/~pczarno1
University of Illinois at Chicago
 

[Snort-inline-users] snortconfig problems

[Lefti C <lef...@ho...>]

Hi all,

I apologise if this is an issue that has come up before and been answered, I 
didn't stumble across it though.

The problem I am experiencing is with snortconfig.
I am running snort_inline, (precompiled from the Honeynet toolkit) and the 
accompanying snortconfig v 1.8 to create my ruleset.

I have upgraded my perl package twice but I'm getting the same error.
I am currently running perl-5.8.3.

The error I'm getting is the following:

Can't locate Net/Snort/Parser/File.pm in @INC (@INC contains: 
/usr/local/lib/perl5/5.8.3/i686-linux /usr/local/lib/perl5/5.8.3 
/usr/local/lib/perl5/site_perl/5.8.3/i686-linux 
/usr/local/lib/perl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl .) at 
/etc/snort_inline/snortconfig-19/snortconfig line 178.
BEGIN failed--compilation aborted at 
/etc/snort_inline/snortconfig-19/snortconfig line 178.

Your help is greatly appreciated,

Kind Regards,

Lefti

[Snort-inline-users] snort-inline capabilities ( WAS: Re: Fortinet IDS )

[Jason <sec...@br...>]

I imagine you could easily handle that stuff. ClamAV allows for custom 
virus detection so even if there is no detection for the spyware you 
could create it. Another avenue is using the spyware rules available for 
snort you could create block variants. I've no experience with the 
spyware rules so I cannot attest to accuracy but the solution is 
certainly capable of it.

perhaps the inline folks would care to comment.

David Puckett wrote:

> Will this also prevent spyware/malware/crapware?
> 
> Thanks,
> David
> 
> -----Original Message-----
> From: Ryan Whalen [mailto:wha...@ho...]
> Sent: Tuesday, October 19, 2004 1:28 PM
> To: Jason; Ian Gallagher
> Cc: Don Draper; foc...@se...
> Subject: Re: Fortinet IDS
> 
> 
> I am using a Fortigate firewall.  It inspects all traffic transparently for 
> IDS/Virus events.
> 
> I believe they used Snort for their IDS.  Fortinet provides signature 
> updates for the IDS system several times a week.  We are very happy with 
> this solution.
> 
> Ryan
> ----- Original Message ----- 
> From: "Jason" <sec...@br...>
> To: "Ian Gallagher" <cdi...@gm...>
> Cc: "Don Draper" <do...@dr...>; <foc...@se...>
> Sent: Monday, October 18, 2004 6:59 PM
> Subject: Re: Fortinet IDS
> 
> 
> 
>>I am not sure how fortinet does it however I know snort-inline now has a 
>>clamav preprocessor that will scan for viruses in the traffic and block it 
>>if discovered. There is no proxy involved and all traffic is scanned based 
>>on a configuration you define. It is a recent development and sure to 
>>require beefy hardware but might be worth exploring for the edge points 
>>that require virus scanning. X-posting to snort-inline if they want to 
>>chime in.
>>
>>https://sourceforge.net/tracker/index.php?func=detail&aid=1012679&group_id=78497&atid=553469
>>
>>
>>
[...]

[Snort-inline-users] Got a problem with filtering packets

[Yogdutt S. <son...@gm...>]

Hi Everybody,


I am having a problem to use snort_inline as a filter.

I have added iptables rules as follow for incoming web traffic.

iptables -t mangle -A INPUT -p tcp --syn --sport 80 -m state --state
NEW -j MARK --set-mark 1
iptables -t mangle -A INPUT -p tcp  --sport 80 -m state --state NEW -j
MARK --set-mark 2

iptables -I INPUT -m mark --mark 1 -j QUEUE
iptables -I INPUT -m mark --mark 2 -j QUEUE

and I have added a simple snort_inline rule for changin the pattern
"google" with "abcdef" pattern.

alert tcp any 80 -> $HOME_NET any (msg:"GIF file removed";
content:"google"; nocase; replace:"abcdef";)

But after starting snort_inline with QUEUE mode I am getting confused
I found that when I want to visit "www.google.com" it's going to
resolve "www.abcdef.com"

Here I have added this rule for replace the incoming payload's pattern
but it doing reverse.

Please tell me where am I wrong?

--
Yogdutt Sonivadia
Apropos Infotech Pvt. Ltd.
Bangalore
INDIA

AW: AW: AW: [Snort-inline-users] no tcp header

[Jochen V. <jv...@it...>]

thanks for all the answers,
fact is that i have no entries in the icmphdr, opt, tcphdr & udphdr =
tables
in the mysql database if i use
iptables -> snort_inline -> barnyard -> mysql

> -----Urspr=FCngliche Nachricht-----
> Von: Victor Julien [mailto:vi...@nk...]=20
> Gesendet: Mittwoch, 20. Oktober 2004 15:38
> An: Jochen Vogel
> Cc: sno...@li...;=20
> wil...@gm...
> Betreff: Re: AW: AW: [Snort-inline-users] no tcp header
>=20
>=20
> Hello Jochen,
>=20
> The TCP-header does look fine to me. The only difference i=20
> see is the TCP=20
> Options string. However the two alerts come from different=20
> connections, so=20
> i'm not surprised that they don't exactly match. Personally,=20
> I do get alerts=20
> which include the 'TCP Options'. If there are no TCP Options=20
> in the packet,=20
> the 'TCP Options' string is not printed at all. Maybe you can=20
> look trough=20
> your other alerts to see if you have the 'TCP Options' there.
>=20
> Regards,
> Victor
>=20
> On Wednesday 20 October 2004 10:56, Jochen Vogel wrote:
> > if i correlate the IDS log with the IPS log i can see the=20
> different header
> > structure.
> > i think that barnyard have problems to parse it correctly?
> > and see that the point "TCP Options" is missing.
> >
> >
> > ----------------------------------------------------------------
> > IPS
> >
> > [**] WEB-MISC /etc/passwd [**]
> > 10/15-09:41:46.075405 195.245.50.253:16365 ->
> > 195.245.50.252:80 TCP TTL:127
> > TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> > ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> > 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> > 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> > 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
> >
> > -------------------------------------------------------------
> > IDS
> >
> > [**] WEB-MISC /etc/passwd [**]
> > 10/20-10:38:59.304913 0:8:21:B8:AB:23 -> 0:0:D1:1E:EB:9E type:0x800
> > len:0x214
> > 80.145.180.112:2193 -> 195.245.50.252:80 TCP TTL:53 TOS:0x0 =
ID:48351
> > IpLen:20 DgmLen:518 DF
> > ***AP*** Seq: 0xC6089571  Ack: 0x5C7AFFCD  Win: 0x16B0  TcpLen: 32
> > TCP Options (3) =3D> NOP NOP TS: 3183946206 504897406
> > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> > 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74  HTTP/1.0..Accept
> > 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61  : image/gif, ima
> > 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D  ge/x-xbitmap, im
> > 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F  age/jpeg, image/
> > 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69  pjpeg, applicati
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IT Product Guide on=20
> ITManagersJournal
> > Use IT products in your business? Tell us what you think of=20
> them. Give us
> > Your Opinions, Get Free ThinkGeek Gift Certificates! Click=20
> to find out more
> > http://productguide.itmanagersjournal.com/guidepromo.tmpl
> > _______________________________________________
> > Snort-inline-users mailing list
> > Sno...@li...
> > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>=20

Re: [Snort-inline-users] Having problem with tcp packets filtering

[Josh B. <jos...@li...>]

You are only giving snort_inline one side of the connection, the return
SYN/ACK from the server.  You probably just need to configure the state
tracking correctly, see the README files for this.


> Hi Everybody,
>
> I'm getting a problem with filtering tcp packets through snort_inline.
>
> snort_inline is working properly and I can drop and replace actions
> are working properly on icmp packets, for icmp packets I have put an
> iptables rule,
>
> iptables -A INPUT -p icmp -d 192.168.1.11/32 -j QUEUE
>
> I have given same iptables rule for tcp packet,
>
> iptables -A INPUT -p tcp --sport 80 -d 192.168.1.11/32 -j QUEUE
>
> and I have also added an alert rule in local.rules file,
>
> alert tcp any 80 -> 192.168.1.11/32 any (msg:"HTTP Protocol Active";)
>
> and I am giving a command,
>
> snort_inline -Qdvc /etc/snort_inline.conf -l /var/log/snort
>
> as per given 'd' and 'v' options i got output on console as below for
> tcp packets,
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/20-16:04:57.988479 66.102.9.104:80 -> 192.168.11.5:32854
> TCP TTL:62 TOS:0x0 ID:39096 IpLen:20 DgmLen:64 DF
> ***A**S* Seq: 0x636D1F89  Ack: 0xED7F232A  Win: 0x4470  TcpLen: 44
> TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS:
> 277264730 2389497
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/20-16:04:58.648405 66.102.9.104:80 -> 192.168.11.5:32853
> TCP TTL:62 TOS:0x0 ID:43192 IpLen:20 DgmLen:64 DF
> ***A**S* Seq: 0x3A3C271A  Ack: 0xE8ACA1CA  Win: 0x4470  TcpLen: 44
> TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS:
> 277264796 2384757
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/20-16:05:03.975030 66.102.9.104:80 -> 192.168.11.5:32854
> TCP TTL:62 TOS:0x0 ID:45496 IpLen:20 DgmLen:64 DF
> ***A**S* Seq: 0x636D1F89  Ack: 0xED7F232A  Win: 0x4470  TcpLen: 44
> TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS:
> 277265328 2390697
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
> Here we can see that SYN and ACK flag enabled tcp packets are coming
> into picture, I can't find other than those packrts.
>
>
> Please tell me where i am wrong?
>
> Thanks in Advance.
>
> --
> Yogdutt Sonivadia
> Apropos Infotech Pvt. Ltd.
> Bangalore,
> India
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: AW: AW: [Snort-inline-users] no tcp header

[Josh B. <jos...@li...>]

The only difference is the TCP Options, however these packets are from to
and from differenct sources and destinations.  The communication logged by
the IPS was probably between machines not using TCP Options at all and
vice versa for the IDS.

> if i correlate the IDS log with the IPS log i can see the different header
> structure.
> i think that barnyard have problems to parse it correctly?
>
>
> ----------------------------------------------------------------
> IPS
>
> [**] WEB-MISC /etc/passwd [**]
> 10/15-09:41:46.075405 195.245.50.253:16365 ->
> 195.245.50.252:80 TCP TTL:127
> TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
>
> -------------------------------------------------------------
> IDS
>
> [**] WEB-MISC /etc/passwd [**]
> 10/20-10:38:59.304913 0:8:21:B8:AB:23 -> 0:0:D1:1E:EB:9E type:0x800
> len:0x214
> 80.145.180.112:2193 -> 195.245.50.252:80 TCP TTL:53 TOS:0x0 ID:48351
> IpLen:20 DgmLen:518 DF
> ***AP*** Seq: 0xC6089571  Ack: 0x5C7AFFCD  Win: 0x16B0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 3183946206 504897406
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74  HTTP/1.0..Accept
> 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61  : image/gif, ima
> 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D  ge/x-xbitmap, im
> 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F  age/jpeg, image/
> 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69  pjpeg, applicati
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>