snort-inline-users — The goal of this list is to help users debug/use snort_inline

Re: AW: AW: [Snort-inline-users] no tcp header

[Victor J. <vi...@nk...>]

Hello Jochen,

The TCP-header does look fine to me. The only difference i see is the TCP 
Options string. However the two alerts come from different connections, so 
i'm not surprised that they don't exactly match. Personally, I do get alerts 
which include the 'TCP Options'. If there are no TCP Options in the packet, 
the 'TCP Options' string is not printed at all. Maybe you can look trough 
your other alerts to see if you have the 'TCP Options' there.

Regards,
Victor

On Wednesday 20 October 2004 10:56, Jochen Vogel wrote:
> if i correlate the IDS log with the IPS log i can see the different header
> structure.
> i think that barnyard have problems to parse it correctly?
> and see that the point "TCP Options" is missing.
>
>
> ----------------------------------------------------------------
> IPS
>
> [**] WEB-MISC /etc/passwd [**]
> 10/15-09:41:46.075405 195.245.50.253:16365 ->
> 195.245.50.252:80 TCP TTL:127
> TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
>
> -------------------------------------------------------------
> IDS
>
> [**] WEB-MISC /etc/passwd [**]
> 10/20-10:38:59.304913 0:8:21:B8:AB:23 -> 0:0:D1:1E:EB:9E type:0x800
> len:0x214
> 80.145.180.112:2193 -> 195.245.50.252:80 TCP TTL:53 TOS:0x0 ID:48351
> IpLen:20 DgmLen:518 DF
> ***AP*** Seq: 0xC6089571  Ack: 0x5C7AFFCD  Win: 0x16B0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 3183946206 504897406
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74  HTTP/1.0..Accept
> 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61  : image/gif, ima
> 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D  ge/x-xbitmap, im
> 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F  age/jpeg, image/
> 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69  pjpeg, applicati
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

[Snort-inline-users] Having problem with tcp packets filtering

[Yogdutt S. <son...@gm...>]

Hi Everybody,

I'm getting a problem with filtering tcp packets through snort_inline.

snort_inline is working properly and I can drop and replace actions
are working properly on icmp packets, for icmp packets I have put an
iptables rule,

iptables -A INPUT -p icmp -d 192.168.1.11/32 -j QUEUE

I have given same iptables rule for tcp packet,

iptables -A INPUT -p tcp --sport 80 -d 192.168.1.11/32 -j QUEUE

and I have also added an alert rule in local.rules file,

alert tcp any 80 -> 192.168.1.11/32 any (msg:"HTTP Protocol Active";)

and I am giving a command,

snort_inline -Qdvc /etc/snort_inline.conf -l /var/log/snort

as per given 'd' and 'v' options i got output on console as below for
tcp packets,

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-16:04:57.988479 66.102.9.104:80 -> 192.168.11.5:32854
TCP TTL:62 TOS:0x0 ID:39096 IpLen:20 DgmLen:64 DF
***A**S* Seq: 0x636D1F89  Ack: 0xED7F232A  Win: 0x4470  TcpLen: 44
TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS:
277264730 2389497

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-16:04:58.648405 66.102.9.104:80 -> 192.168.11.5:32853
TCP TTL:62 TOS:0x0 ID:43192 IpLen:20 DgmLen:64 DF
***A**S* Seq: 0x3A3C271A  Ack: 0xE8ACA1CA  Win: 0x4470  TcpLen: 44
TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS:
277264796 2384757

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

10/20-16:05:03.975030 66.102.9.104:80 -> 192.168.11.5:32854
TCP TTL:62 TOS:0x0 ID:45496 IpLen:20 DgmLen:64 DF
***A**S* Seq: 0x636D1F89  Ack: 0xED7F232A  Win: 0x4470  TcpLen: 44
TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS:
277265328 2390697

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Here we can see that SYN and ACK flag enabled tcp packets are coming
into picture, I can't find other than those packrts.


Please tell me where i am wrong?

Thanks in Advance.

--
Yogdutt Sonivadia
Apropos Infotech Pvt. Ltd.
Bangalore,
India

[Snort-inline-users] Having a problem with tcp packets filtering

[Yogdutt S. <son...@gm...>]

Hi Everybody,

I'm getting a problem with filtering tcp packets through snort_inline.

Drop and Replace actions are working properly on icmp packets, I have
put an iptables rule,

AW: AW: [Snort-inline-users] no tcp header

[Jochen V. <jv...@it...>]

if i correlate the IDS log with the IPS log i can see the different header
structure.
i think that barnyard have problems to parse it correctly?
and see that the point "TCP Options" is missing.


----------------------------------------------------------------
IPS

[**] WEB-MISC /etc/passwd [**]
10/15-09:41:46.075405 195.245.50.253:16365 -> 
195.245.50.252:80 TCP TTL:127
TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi

-------------------------------------------------------------
IDS

[**] WEB-MISC /etc/passwd [**]
10/20-10:38:59.304913 0:8:21:B8:AB:23 -> 0:0:D1:1E:EB:9E type:0x800
len:0x214
80.145.180.112:2193 -> 195.245.50.252:80 TCP TTL:53 TOS:0x0 ID:48351
IpLen:20 DgmLen:518 DF
***AP*** Seq: 0xC6089571  Ack: 0x5C7AFFCD  Win: 0x16B0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3183946206 504897406 
47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd 
48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74  HTTP/1.0..Accept
3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61  : image/gif, ima
67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D  ge/x-xbitmap, im
61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F  age/jpeg, image/
70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69  pjpeg, applicati

AW: AW: [Snort-inline-users] no tcp header

[Jochen V. <jv...@it...>]

if i correlate the IDS log with the IPS log i can see the different header
structure.
i think that barnyard have problems to parse it correctly?


----------------------------------------------------------------
IPS

[**] WEB-MISC /etc/passwd [**]
10/15-09:41:46.075405 195.245.50.253:16365 -> 
195.245.50.252:80 TCP TTL:127
TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi

-------------------------------------------------------------
IDS

[**] WEB-MISC /etc/passwd [**]
10/20-10:38:59.304913 0:8:21:B8:AB:23 -> 0:0:D1:1E:EB:9E type:0x800
len:0x214
80.145.180.112:2193 -> 195.245.50.252:80 TCP TTL:53 TOS:0x0 ID:48351
IpLen:20 DgmLen:518 DF
***AP*** Seq: 0xC6089571  Ack: 0x5C7AFFCD  Win: 0x16B0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3183946206 504897406 
47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd 
48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74  HTTP/1.0..Accept
3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D 61  : image/gif, ima
67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 6D  ge/x-xbitmap, im
61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 2F  age/jpeg, image/
70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 69  pjpeg, applicati

Re: [Snort-inline-users] Please help me

[Will M. <wil...@gm...>]

try 

modprobe iptable_nat
modprobe ip_conntrack

and then re-run snort_inline.

Regards,

Will
On Tue, 19 Oct 2004 18:25:03 +0530, Yogdutt Sonivadia
<son...@gm...> wrote:
> Hi,
> 
> I am new to this group and also new to snort_inline. I am using
> snort_inline-2.2.0 and it's compiled for inline mode while configuring
> I have provide --enable-inline option. Also installed the iptables
> userspace utilities(libipq).
> 
> I have tested a simple icmp drop rule as below,
> 
>   drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ping
> packets dropped";)
> 
> I have some doubts in snort_inline please help me to clear them.
> 
> 1) May I have to recompile my kernel for using snort_inline?
> 
> 2) For using the snort_inline is it necessory to use honeynet?
> 
> 3) Please prompt me if I am wrong, I am using snort_inline for
> filtering purpose. I have added only one iptables rule as,
> 
>   iptables -A INPUT -p tcp --sport 80 -j QUEUE
> 
> and a simple rule in local.rules file as,
> 
>   alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Packet from ip_queue");
> 
> and then i run the snort_inline,
> 
>   snort_inline -Qdvc /etc/snort_inline.conf -l /var/log/snort
> 
> After running snort_inline I started to browse the internet but the
> site is not loaded.
> 
> please tell me what is going wrong.
> 
> Thanking you in advance.
> 
> -- Yogdutt Sonivadia
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] Please help me

[Yogdutt S. <son...@gm...>]

Hi,

I am new to this group and also new to snort_inline. I am using
snort_inline-2.2.0 and it's compiled for inline mode while configuring
I have provide --enable-inline option. Also installed the iptables
userspace utilities(libipq).

I have tested a simple icmp drop rule as below,

   drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ping
packets dropped";)

I have some doubts in snort_inline please help me to clear them.

1) May I have to recompile my kernel for using snort_inline?

2) For using the snort_inline is it necessory to use honeynet?

3) Please prompt me if I am wrong, I am using snort_inline for
filtering purpose. I have added only one iptables rule as,

   iptables -A INPUT -p tcp --sport 80 -j QUEUE

and a simple rule in local.rules file as,

   alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Packet from ip_queue");

and then i run the snort_inline,

   snort_inline -Qdvc /etc/snort_inline.conf -l /var/log/snort

After running snort_inline I started to browse the internet but the
site is not loaded.

please tell me what is going wrong.

Thanking you in advance.

-- Yogdutt Sonivadia

Re: [Snort-inline-users] [Fwd: Re: Fortinet IDS]

[Victor J. <vi...@nk...>]

> I am not sure how fortinet does it however I know snort-inline now has a
> clamav preprocessor that will scan for viruses in the traffic and block
> it if discovered. There is no proxy involved and all traffic is scanned
> based on a configuration you define. It is a recent development and sure
> to require beefy hardware but might be worth exploring for the edge
> points that require virus scanning. X-posting to snort-inline if they
> want to chime in.

Thanx Jason. The ClamAV preprocessor does some very basic scanning. It just 
scans the packet payload and some more data in the so called 
'uber-packet' (which is a reassembled stream, so a couple of payloads are 
scanned). It does not do any effort to decode, decrypt, unpack, whatever... 
it just feeds the data it sees to ClamAV. When William Metcalf and myself 
designed it we foremost had in mind to offer somekind of protection against 
some of the browser attacks, msn worms and other client-attacks.

Btw: it also works with plain Snort (ids).

Hope this helps,
Victor


>
> https://sourceforge.net/tracker/index.php?func=detail&aid=1012679&group_id=
>78497&atid=553469
>
> Ian Gallagher wrote:
> > I'm almost certain that their products scan transparently.
> >
> >
> > On 14 Oct 2004 13:30:38 -0000, Don Draper <do...@dr...>
> >
> > wrote:
> >> In-Reply-To: <200...@mx...>
> >>
> >> Does anyone know if Fortinet on-board virus scanning uses an SMTP
> >> proxy server? Or is it able to accomplish this transparently by
> >> simply inspecting the packets as most the IDS/IPS do.
> >>
> >> We just purchased a new Proventia M10 from ISS and have discovered
> >> that we cannot use it for Anti-Virus (email) or Anti-Spam due the
> >> ffact that it uses an on-board SMTP proxy server that does not
> >> support SMTP authentication among other issues. The IPS module does
> >> not need the proxy and works fine.  Having on-board virus scanning
> >> at the network edge would be very helpful and Fortinet docs would
> >> make you think it is ALL done with packet inspection and without
> >> any nasty proxies in the middle. Does anyone know how this works?
> >>
> >> TIA,
> >>
> >> Don
> >>

[Snort-inline-users] [Fwd: Re: Fortinet IDS]

[Jason <sec...@br...>]

forgot to add the x-post... oops

-------- Original Message --------
Subject: Re: Fortinet IDS
Date: Mon, 18 Oct 2004 18:59:17 -0400
From: Jason <sec...@br...>
To: Ian Gallagher <cdi...@gm...>
CC: Don Draper <do...@dr...>,  foc...@se...
References: <200...@ww...> 
<d6c...@ma...>

I am not sure how fortinet does it however I know snort-inline now has a
clamav preprocessor that will scan for viruses in the traffic and block
it if discovered. There is no proxy involved and all traffic is scanned
based on a configuration you define. It is a recent development and sure
to require beefy hardware but might be worth exploring for the edge
points that require virus scanning. X-posting to snort-inline if they
want to chime in.

https://sourceforge.net/tracker/index.php?func=detail&aid=1012679&group_id=78497&atid=553469



Ian Gallagher wrote:

> I'm almost certain that their products scan transparently.
> 
> 
> On 14 Oct 2004 13:30:38 -0000, Don Draper <do...@dr...>
> wrote:
> 
>> In-Reply-To: <200...@mx...>
>> 
>> Does anyone know if Fortinet on-board virus scanning uses an SMTP
>> proxy server? Or is it able to accomplish this transparently by
>> simply inspecting the packets as most the IDS/IPS do.
>> 
>> We just purchased a new Proventia M10 from ISS and have discovered
>> that we cannot use it for Anti-Virus (email) or Anti-Spam due the
>> ffact that it uses an on-board SMTP proxy server that does not
>> support SMTP authentication among other issues. The IPS module does
>> not need the proxy and works fine.  Having on-board virus scanning
>> at the network edge would be very helpful and Fortinet docs would
>> make you think it is ALL done with packet inspection and without
>> any nasty proxies in the middle. Does anyone know how this works?
>> 
>> TIA,
>> 
>> Don
>> 
>> --------------------------------------------------------------------------
>>  Test Your IDS
>> 
>> Is your IDS deployed correctly? Find out quickly and easily by
>> testing it with real-world attacks from CORE IMPACT. Go to
>> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>> to learn more. 
>> --------------------------------------------------------------------------
>> 
>> 
>> 
> 
> 
> 

Re: AW: [Snort-inline-users] no tcp header

[Josh B. <jos...@li...>]

The TCP header is in the IPS example.  It shows the source/destination
ports, Sequence/Ack numbers, TCP Flags, Window Size and TCP Length, what
is it that you think you are missing?



> the problem is that the payload exist but the tcp header is missing.
> see the IPS log example.
>
>
>> I'll assume you meant the ethernet header, in which case no it is not
>> currently possible, because iptables removes this information.  You
>> are getting the tcp header information ;-)
>
>> >
>> > im using snort_inline 2.1.3
>> > if i start IDS with -de i get the Ethernet Header, IP
>> Header and the TCP
>> > Header.
>> > if i start IPS with -Qde i get only the IP Header
>> >
>> > is it possible to log the TCP Header in IPS mode?
>> >
>> > thx jo
>> >
>> > ----------------------------------------------------------------
>> > IPS
>> >
>> > [**] WEB-MISC /etc/passwd [**]
>> > 10/15-09:41:46.075405 195.245.50.253:16365 ->
>> 195.245.50.252:80 TCP TTL:127
>> > TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
>> > ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
>> > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
>> > 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
>> > 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
>> > 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
>> >
>> > -------------------------------------------------------------
>> > IDS
>> >
>> > [**] WEB-IIS scripts access [**]
>> > 10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23
>> type:0x800 len:0x1D1
>> > 195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63
>> TOS:0x0 ID:46206
>> > IpLen:20 DgmLen:451 DF
>> > ***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
>> > TCP Options (3) => NOP NOP TS: 12410822 1352915474
>> > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
>> > 69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
>> > 30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
>> > 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
>> > 69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag
>> >
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>


-- 
Thanks,
Josh Berry | CISSP GCIA
Principal Engineer
LinkNet-Solutions
469-831-8543
jos...@li...

Re: [Snort-inline-users] Is it possible to run snort_inline with any linux kernel?

[Will M. <wil...@gm...>]

Yogdutt,

Generally the answer to your question is yes, it should run on almost
any 2.4.x kernel or 2.6.x kernel, provided you have support in your
kernel for ip_queue.  Most 2.4.x users have to manually add in support
for bridge firewalling, but you have the one rh 7.3 kernel that has it
built in.  If you are trying to use this in a bridge configuration,
the proper rule would be

iptables -A FORWARD -p tcp --sport 80 -j QUEUE

if you want to fitler incoming http traffic to your host your rule
would be correct.

Regards,

Will

On Mon, 18 Oct 2004 17:43:21 +0530, Yogdutt Sonivadia
<son...@gm...> wrote:
> I am new to snort_inline and currently I am running snort_inline 2.2.0
> on redhat linux 7.3 with 2.4.18-3 kernel.
> 
> I want to know wether snort_inline must require the linux setup
> provided by honeynet CD-ROM or it is running on any linux version or I
> have to recompile the kernel?
> 
> If anyone know a link of howto for snort_inline?
> 
> Can anyone tell me the rule added in iptables for incomming http
> packets? I added the rule for http in iptables like below please
> suggest me if i am wrong.
> 
> iptables -A INPUT -p tcp --sport 80 -j QUEUE
> 
> -- Yogdutt Sonivadia
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

Re: AW: [Snort-inline-users] no tcp header

[Will M. <wil...@gm...>]

BTW this was it IPS mode


On Mon, 18 Oct 2004 07:43:18 -0500, Will Metcalf
<wil...@gm...> wrote:
> Did you try a side by side comparison of these rules in ids and ips
> mode?  I just came up with some non-sense that would trigger the
> WEB-IIS scripts rule.  It alerted just fine.  Tell me what I'm missing
> here?
> 
> Regards,
> 
> Will
> 
> [**] WEB-IIS scripts access [**]
> 10/18-07:36:31.094500 10.1.11.234:2440 -> 10.1.10.250:80 TCP TTL:64
> TOS:0x0 ID:10485 IpLen:20 DgmLen:172 DF
> ***AP*** Seq: 0x3E914225  Ack: 0xB8DE2194  Win: 0x16D0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 33975060 0
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
> 69 6E 65 2E 64 6C 6C 3F 20 48 54 54 50 2F 31 2E  ine.dll? HTTP/1.
> 30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57  0..User-Agent: W
> 67 65 74 2F 31 2E 38 2E 32 0D 0A 48 6F 73 74 3A  get/1.8.2..Host:
> 20 63 65 6E 74 72 61 6C 2E 6B 63 2E 6C 61 6E 0D   central.kc.lan.
> 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F  .Accept: */*..Co
> 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41  nnection: Keep-A
> 6C 69 76 65 0D 0A 0D 0A                          live....
> 
> 
> 
> 
> On Mon, 18 Oct 2004 08:27:06 +0200, Jochen Vogel <jv...@it...> wrote:
> > the problem is that the payload exist but the tcp header is missing.
> > see the IPS log example.
> >
> > > I'll assume you meant the ethernet header, in which case no it is not
> > > currently possible, because iptables removes this information.  You
> > > are getting the tcp header information ;-)
> >
> > > >
> > > > im using snort_inline 2.1.3
> > > > if i start IDS with -de i get the Ethernet Header, IP
> > > Header and the TCP
> > > > Header.
> > > > if i start IPS with -Qde i get only the IP Header
> > > >
> > > > is it possible to log the TCP Header in IPS mode?
> > > >
> > > > thx jo
> > > >
> > > > ----------------------------------------------------------------
> > > > IPS
> > > >
> > > > [**] WEB-MISC /etc/passwd [**]
> > > > 10/15-09:41:46.075405 195.245.50.253:16365 ->
> > > 195.245.50.252:80 TCP TTL:127
> > > > TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> > > > ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> > > > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> > > > 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> > > > 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> > > > 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
> > > >
> > > > -------------------------------------------------------------
> > > > IDS
> > > >
> > > > [**] WEB-IIS scripts access [**]
> > > > 10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23
> > > type:0x800 len:0x1D1
> > > > 195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63
> > > TOS:0x0 ID:46206
> > > > IpLen:20 DgmLen:451 DF
> > > > ***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
> > > > TCP Options (3) => NOP NOP TS: 12410822 1352915474
> > > > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
> > > > 69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
> > > > 30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
> > > > 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
> > > > 69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag
> > > >
> >
>

Re: AW: [Snort-inline-users] no tcp header

[Will M. <wil...@gm...>]

Did you try a side by side comparison of these rules in ids and ips
mode?  I just came up with some non-sense that would trigger the
WEB-IIS scripts rule.  It alerted just fine.  Tell me what I'm missing
here?

Regards,

Will

[**] WEB-IIS scripts access [**]
10/18-07:36:31.094500 10.1.11.234:2440 -> 10.1.10.250:80 TCP TTL:64
TOS:0x0 ID:10485 IpLen:20 DgmLen:172 DF
***AP*** Seq: 0x3E914225  Ack: 0xB8DE2194  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 33975060 0
47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
69 6E 65 2E 64 6C 6C 3F 20 48 54 54 50 2F 31 2E  ine.dll? HTTP/1.
30 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 57  0..User-Agent: W
67 65 74 2F 31 2E 38 2E 32 0D 0A 48 6F 73 74 3A  get/1.8.2..Host:
20 63 65 6E 74 72 61 6C 2E 6B 63 2E 6C 61 6E 0D   central.kc.lan.
0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 43 6F  .Accept: */*..Co
6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41  nnection: Keep-A
6C 69 76 65 0D 0A 0D 0A                          live....




On Mon, 18 Oct 2004 08:27:06 +0200, Jochen Vogel <jv...@it...> wrote:
> the problem is that the payload exist but the tcp header is missing.
> see the IPS log example.
> 
> > I'll assume you meant the ethernet header, in which case no it is not
> > currently possible, because iptables removes this information.  You
> > are getting the tcp header information ;-)
> 
> > >
> > > im using snort_inline 2.1.3
> > > if i start IDS with -de i get the Ethernet Header, IP
> > Header and the TCP
> > > Header.
> > > if i start IPS with -Qde i get only the IP Header
> > >
> > > is it possible to log the TCP Header in IPS mode?
> > >
> > > thx jo
> > >
> > > ----------------------------------------------------------------
> > > IPS
> > >
> > > [**] WEB-MISC /etc/passwd [**]
> > > 10/15-09:41:46.075405 195.245.50.253:16365 ->
> > 195.245.50.252:80 TCP TTL:127
> > > TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> > > ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> > > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> > > 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> > > 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> > > 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
> > >
> > > -------------------------------------------------------------
> > > IDS
> > >
> > > [**] WEB-IIS scripts access [**]
> > > 10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23
> > type:0x800 len:0x1D1
> > > 195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63
> > TOS:0x0 ID:46206
> > > IpLen:20 DgmLen:451 DF
> > > ***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
> > > TCP Options (3) => NOP NOP TS: 12410822 1352915474
> > > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
> > > 69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
> > > 30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
> > > 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
> > > 69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag
> > >
>

[Snort-inline-users] Is it possible to run snort_inline with any linux kernel?

[Yogdutt S. <son...@gm...>]

I am new to snort_inline and currently I am running snort_inline 2.2.0
on redhat linux 7.3 with 2.4.18-3 kernel.

I want to know wether snort_inline must require the linux setup
provided by honeynet CD-ROM or it is running on any linux version or I
have to recompile the kernel?

If anyone know a link of howto for snort_inline?

Can anyone tell me the rule added in iptables for incomming http
packets? I added the rule for http in iptables like below please
suggest me if i am wrong.

iptables -A INPUT -p tcp --sport 80 -j QUEUE

-- Yogdutt Sonivadia

AW: [Snort-inline-users] no tcp header

[Jochen V. <jv...@it...>]

the problem is that the payload exist but the tcp header is missing.
see the IPS log example.
 

> I'll assume you meant the ethernet header, in which case no it is not
> currently possible, because iptables removes this information.  You
> are getting the tcp header information ;-)

> > 
> > im using snort_inline 2.1.3
> > if i start IDS with -de i get the Ethernet Header, IP 
> Header and the TCP
> > Header.
> > if i start IPS with -Qde i get only the IP Header
> > 
> > is it possible to log the TCP Header in IPS mode?
> > 
> > thx jo
> > 
> > ----------------------------------------------------------------
> > IPS
> > 
> > [**] WEB-MISC /etc/passwd [**]
> > 10/15-09:41:46.075405 195.245.50.253:16365 -> 
> 195.245.50.252:80 TCP TTL:127
> > TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> > ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> > 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> > 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> > 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> > 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
> > 
> > -------------------------------------------------------------
> > IDS
> > 
> > [**] WEB-IIS scripts access [**]
> > 10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23 
> type:0x800 len:0x1D1
> > 195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63 
> TOS:0x0 ID:46206
> > IpLen:20 DgmLen:451 DF
> > ***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 12410822 1352915474
> > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
> > 69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
> > 30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
> > 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
> > 69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag
> > 

Re: [Snort-inline-users] no tcp header

[Will M. <wil...@gm...>]

I'll assume you meant the ethernet header, in which case no it is not
currently possible, because iptables removes this information.  You
are getting the tcp header information ;-)

Regards,

Will


On Fri, 15 Oct 2004 11:34:06 +0200, Jochen Vogel <jv...@it...> wrote:
> hi,
> 
> im using snort_inline 2.1.3
> if i start IDS with -de i get the Ethernet Header, IP Header and the TCP
> Header.
> if i start IPS with -Qde i get only the IP Header
> 
> is it possible to log the TCP Header in IPS mode?
> 
> thx jo
> 
> ----------------------------------------------------------------
> IPS
> 
> [**] WEB-MISC /etc/passwd [**]
> 10/15-09:41:46.075405 195.245.50.253:16365 -> 195.245.50.252:80 TCP TTL:127
> TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
> ***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
> 47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd
> 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host:
> 31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
> 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
> 
> -------------------------------------------------------------
> IDS
> 
> [**] WEB-IIS scripts access [**]
> 10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23 type:0x800 len:0x1D1
> 195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63 TOS:0x0 ID:46206
> IpLen:20 DgmLen:451 DF
> ***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 12410822 1352915474
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
> 69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
> 30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
> 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
> 69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>

[Snort-inline-users] no tcp header

[Jochen V. <jv...@it...>]

hi,

im using snort_inline 2.1.3
if i start IDS with -de i get the Ethernet Header, IP Header and the TCP
Header.
if i start IPS with -Qde i get only the IP Header

is it possible to log the TCP Header in IPS mode?

thx jo


----------------------------------------------------------------
IPS

[**] WEB-MISC /etc/passwd [**]
10/15-09:41:46.075405 195.245.50.253:16365 -> 195.245.50.252:80 TCP TTL:127
TOS:0x0 ID:53584 IpLen:20 DgmLen:450 DF
***AP*** Seq: 0x669EF8CC  Ack: 0x5D3677B5  Win: 0xFAF0  TcpLen: 20
47 45 54 20 2F 65 74 63 2F 70 61 73 73 77 64 20  GET /etc/passwd 
48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A 20  HTTP/1.1..Host: 
31 39 35 2E 32 34 35 2E 35 30 2E 32 35 32 0D 0A  195.245.50.252..
55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi

-------------------------------------------------------------
IDS

[**] WEB-IIS scripts access [**]
10/15-11:16:53.955488 0:1:2:6:E6:E8 -> 0:8:21:B8:AB:23 type:0x800 len:0x1D1
195.245.50.253:18648 -> 205.188.248.25:80 TCP TTL:63 TOS:0x0 ID:46206
IpLen:20 DgmLen:451 DF
***AP*** Seq: 0xEF7AEB2D  Ack: 0x6D6ECF21  Win: 0x2E  TcpLen: 32
TCP Options (3) => NOP NOP TS: 12410822 1352915474 
47 45 54 20 2F 73 63 72 69 70 74 73 2F 6F 6E 6C  GET /scripts/onl
69 6E 65 2E 64 6C 6C 3F 69 63 71 3D 32 38 33 35  ine.dll?icq=2835
30 36 39 39 37 26 69 6D 67 3D 35 20 48 54 54 50  06997&img=5 HTTP
2F 31 2E 31 0D 0A 48 6F 73 74 3A 20 77 77 70 2E  /1.1..Host: wwp.
69 63 71 2E 63 6F 6D 0D 0A 55 73 65 72 2D 41 67  icq.com..User-Ag

Re: [Snort-inline-users] Queued tcp packets not going through

[Will M. <wil...@gm...>]

I haven't forgotten about you, I've just been super busy.  I'll look
over the files you have sent this evening.  Sorry it has taken so long
for me to get back to you.

Regards,

Will


On Thu, 14 Oct 2004 14:51:24 -0400, Swaminathan Srinivasan
<ssr...@cs...> wrote:
> Hi
> 
>  So I tested my setup again. First let me describe the setup.
> 
> 1. I have snort-inline running on my machine looking at packets in and out
>   of the machine. The machine does not forward any packets.
> 2. I setup iptables to queue all packets in and out the machine
>   iptables -A INPUT -j QUEUE
>   iptables -A OUTPUT -j QUEUE 
> 3. I start snort inline as follows
>   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
> 4. snort_inline starts up without complaining
> 
> So now when I try to ssh to a host in my network I see snort giving
> information on the SYN packet but tcpdump does not see the packet so I
> assume the packet is getting dropped. But I do not get any alerts either.
> At the same time DNS requests are also queued but those get through and so
> do icmp packets.
> (btw I am assuming all the alerts including from dropped packets can be seen
> in /var/log/snort/alerts am I wrong ?)
> I made some changes to snort_inline.conf file and I am sending it again.
> 
> Any suggestions on what am I doing wrong ?
> 
> 
> 
> thanks
> Swami
> 
> On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote:
> > What does your snort_inline.conf look like?  It sounds like you might
> > be using forceiptstate without using marks in iptables to track state.
> >  Really can't say without seeing your snort_inline.conf and how your
> > snort_inline box sits in relation to the rest of your network.
> >
> >         iptables -t mangle -A FORWARD -p tcp --syn -m state --state
> > NEW -j MARK --set-mark 1
> >         iptables -t mangle -A FORWARD -p tcp -m state --state
> > ESTABLISHED -j MARK --set-mark 2
> >         iptables -A FORWARD -j QUEUE
> >
> > Regards,
> >
> > Will
> >
> >
> > On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan
> > <ssr...@cs...> wrote:
> > > hi all
> > > I am new to snort-inline or even snort. I have been trying to get snort
> > > inline(version 2.2.0 build 30) work on my machine for a very basic setup.
> > > I wanted all the packets in and out of my machine to go through snort
> > >
> > > so I setup my iptables with these 2 rules (only these 2 rules)
> > > iptables -A INPUT -j QUEUE
> > > iptables -A OUTPUT -j QUEUE
> > >
> > > Then I start my snort inline  as
> > >   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
> > >
> > > I see my icmp and udp packets get through but not none of my tcp sessions(I
> > > tried web and ssh) are intiated. I don't even see SYN packets
> > >
> > > I have used the sample snort_inline config file available with the distribution
> > > with some changes to turning on preprocessors
> > >
> > > What am I missing ?
> > >
> > > thanks
> > > Swami
> > >
> > > --
> > >
> > >
> > >
> 
> --
> 
> 
>

Re: [Snort-inline-users] Queued tcp packets not going through

[Swaminathan S. <ssr...@cs...>]

Hi

  So I tested my setup again. First let me describe the setup.

1. I have snort-inline running on my machine looking at packets in and out
   of the machine. The machine does not forward any packets. 
2. I setup iptables to queue all packets in and out the machine 
   iptables -A INPUT -j QUEUE 
   iptables -A OUTPUT -j QUEUE 
3. I start snort inline as follows 
   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
4. snort_inline starts up without complaining 

So now when I try to ssh to a host in my network I see snort giving
information on the SYN packet but tcpdump does not see the packet so I
assume the packet is getting dropped. But I do not get any alerts either.
At the same time DNS requests are also queued but those get through and so
do icmp packets.
(btw I am assuming all the alerts including from dropped packets can be seen
in /var/log/snort/alerts am I wrong ?)
I made some changes to snort_inline.conf file and I am sending it again.

Any suggestions on what am I doing wrong ?

thanks 
Swami


On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote:
> What does your snort_inline.conf look like?  It sounds like you might
> be using forceiptstate without using marks in iptables to track state.
>  Really can't say without seeing your snort_inline.conf and how your
> snort_inline box sits in relation to the rest of your network.
> 
>         iptables -t mangle -A FORWARD -p tcp --syn -m state --state
> NEW -j MARK --set-mark 1
>         iptables -t mangle -A FORWARD -p tcp -m state --state
> ESTABLISHED -j MARK --set-mark 2
>         iptables -A FORWARD -j QUEUE
> 
> Regards,
> 
> Will
> 
> 
> On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan
> <ssr...@cs...> wrote:
> > hi all
> > I am new to snort-inline or even snort. I have been trying to get snort
> > inline(version 2.2.0 build 30) work on my machine for a very basic setup.
> > I wanted all the packets in and out of my machine to go through snort
> > 
> > so I setup my iptables with these 2 rules (only these 2 rules)
> > iptables -A INPUT -j QUEUE
> > iptables -A OUTPUT -j QUEUE
> > 
> > Then I start my snort inline  as
> >   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
> > 
> > I see my icmp and udp packets get through but not none of my tcp sessions(I
> > tried web and ssh) are intiated. I don't even see SYN packets
> > 
> > I have used the sample snort_inline config file available with the distribution
> > with some changes to turning on preprocessors
> > 
> > What am I missing ?
> > 
> > thanks
> > Swami
> > 
> > --
> > 
> > 
> >

-- 

Re: [Snort-inline-users] Queued tcp packets not going through

[Justin A. <JA...@ua...>]

On Tue, 2004-10-12 at 19:55, Swaminathan Srinivasan wrote:
> hi all
> I am new to snort-inline or even snort. I have been trying to get snort
> inline(version 2.2.0 build 30) work on my machine for a very basic
> setup.
> I wanted all the packets in and out of my machine to go through snort
>  
>  so I setup my iptables with these 2 rules (only these 2 rules)
>  iptables -A INPUT -j QUEUE
>  iptables -A OUTPUT -j QUEUE

try iptables -L -n -v, you should see the counters on the QUEUE rule
increasing with each packet.
my guess is that you wanted
iptables -A FORWARD -j QUEUE rather than the 2 above

> Then I start my snort inline  as
>    snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l
> /var/log/snort
>     
> I see my icmp and udp packets get through but not none of my tcp
> sessions(I 
> tried web and ssh) are intiated. I don't even see SYN packets
>      
> I have used the sample snort_inline config file available with the
> distribution 
> with some changes to turning on preprocessors
>       
> What am I missing ?
>       
> 
> thanks 
> Swami
-- 
-- Justin Azoff
-- Network Performance Analyst

Re: [Snort-inline-users] Queued tcp packets not going through

[Swaminathan S. <ssr...@cs...>]

Hi again

 I also wanted to mention the snort-inline does see these packets. I checked
by running snort inline as=20
 snort_inline -Qvc  /etc/snort-inline/snort_inline.conf=20
But its just that the packets son't seem to pass through it. I don't see any
alerts either.
I tried to ssh  to test this configuration

thanks=20
Swami


On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote:
> What does your snort_inline.conf look like?  It sounds like you might
> be using forceiptstate without using marks in iptables to track state.
>  Really can't say without seeing your snort_inline.conf and how your
> snort_inline box sits in relation to the rest of your network.
>=20
>         iptables -t mangle -A FORWARD -p tcp --syn -m state --state
> NEW -j MARK --set-mark 1
>         iptables -t mangle -A FORWARD -p tcp -m state --state
> ESTABLISHED -j MARK --set-mark 2
>         iptables -A FORWARD -j QUEUE
>=20
> Regards,
>=20
> Will
>=20
>=20
> On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan
> <ssr...@cs...> wrote:
> > hi all
> > I am new to snort-inline or even snort. I have been trying to get snort
> > inline(version 2.2.0 build 30) work on my machine for a very basic setu=
p.
> > I wanted all the packets in and out of my machine to go through snort
> >=20
> > so I setup my iptables with these 2 rules (only these 2 rules)
> > iptables -A INPUT -j QUEUE
> > iptables -A OUTPUT -j QUEUE
> >=20
> > Then I start my snort inline  as
> >   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/sno=
rt
> >=20
> > I see my icmp and udp packets get through but not none of my tcp sessio=
ns(I
> > tried web and ssh) are intiated. I don't even see SYN packets
> >=20
> > I have used the sample snort_inline config file available with the dist=
ribution
> > with some changes to turning on preprocessors
> >=20
> > What am I missing ?
> >=20
> > thanks
> > Swami
> >=20
> > --
> >=20
> >=20
> >
>=20
>=20
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out mo=
re
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users

--=20

Re: [Snort-inline-users] Queued tcp packets not going through

[Swaminathan S. <ssr...@cs...>]

Hi 
thanks for the reply. I am not using forceiptstate. As far as the network
config goes I have my machine with one network interface connected to the
internet. I am running snort_inline so that all the packets in and out of my
machine are inspected by it. This is a basic config I wanted to test first
before I used it as an IPS for a network. 
I am attaching my config file with the mail. It is mostly an unedited
version of sample config file that came with the snort-inline distribution.

thanks 
Swami 



On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote:
> What does your snort_inline.conf look like?  It sounds like you might
> be using forceiptstate without using marks in iptables to track state.
>  Really can't say without seeing your snort_inline.conf and how your
> snort_inline box sits in relation to the rest of your network.
> 
>         iptables -t mangle -A FORWARD -p tcp --syn -m state --state
> NEW -j MARK --set-mark 1
>         iptables -t mangle -A FORWARD -p tcp -m state --state
> ESTABLISHED -j MARK --set-mark 2
>         iptables -A FORWARD -j QUEUE
> 
> Regards,
> 
> Will
> 
> 
> On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan
> <ssr...@cs...> wrote:
> > hi all
> > I am new to snort-inline or even snort. I have been trying to get snort
> > inline(version 2.2.0 build 30) work on my machine for a very basic setup.
> > I wanted all the packets in and out of my machine to go through snort
> > 
> > so I setup my iptables with these 2 rules (only these 2 rules)
> > iptables -A INPUT -j QUEUE
> > iptables -A OUTPUT -j QUEUE
> > 
> > Then I start my snort inline  as
> >   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
> > 
> > I see my icmp and udp packets get through but not none of my tcp sessions(I
> > tried web and ssh) are intiated. I don't even see SYN packets
> > 
> > I have used the sample snort_inline config file available with the distribution
> > with some changes to turning on preprocessors
> > 
> > What am I missing ?
> > 
> > thanks
> > Swami
> > 
> > --
> > 
> > 
> >

-- 

Re: [Snort-inline-users] Queued tcp packets not going through

[Will M. <wil...@gm...>]

What does your snort_inline.conf look like?  It sounds like you might
be using forceiptstate without using marks in iptables to track state.
 Really can't say without seeing your snort_inline.conf and how your
snort_inline box sits in relation to the rest of your network.

        iptables -t mangle -A FORWARD -p tcp --syn -m state --state
NEW -j MARK --set-mark 1
        iptables -t mangle -A FORWARD -p tcp -m state --state
ESTABLISHED -j MARK --set-mark 2
        iptables -A FORWARD -j QUEUE

Regards,

Will


On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan
<ssr...@cs...> wrote:
> hi all
> I am new to snort-inline or even snort. I have been trying to get snort
> inline(version 2.2.0 build 30) work on my machine for a very basic setup.
> I wanted all the packets in and out of my machine to go through snort
> 
> so I setup my iptables with these 2 rules (only these 2 rules)
> iptables -A INPUT -j QUEUE
> iptables -A OUTPUT -j QUEUE
> 
> Then I start my snort inline  as
>   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
> 
> I see my icmp and udp packets get through but not none of my tcp sessions(I
> tried web and ssh) are intiated. I don't even see SYN packets
> 
> I have used the sample snort_inline config file available with the distribution
> with some changes to turning on preprocessors
> 
> What am I missing ?
> 
> thanks
> Swami
> 
> --
> 
> 
>

[Snort-inline-users] Queued tcp packets not going through

[Swaminathan S. <ssr...@cs...>]

hi all
I am new to snort-inline or even snort. I have been trying to get snort
inline(version 2.2.0 build 30) work on my machine for a very basic setup.
I wanted all the packets in and out of my machine to go through snort
=20
 so I setup my iptables with these 2 rules (only these 2 rules)
 iptables -A INPUT -j QUEUE
 iptables -A OUTPUT -j QUEUE

Then I start my snort inline  as
   snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
   =20
I see my icmp and udp packets get through but not none of my tcp sessions(I=
=20
tried web and ssh) are intiated. I don't even see SYN packets
    =20
I have used the sample snort_inline config file available with the distribu=
tion=20
with some changes to turning on preprocessors
     =20
What am I missing ?
     =20

thanks=20
Swami



--=20

Re: [Snort-inline-users] limiting the number of packets seen by snort

[Will M. <wil...@gm...>]

List,

I have gotten two e-mails today about poor performance in
snort_inline.  Please send me (off list if you want) a sanitized
version of your snort_inline.conf file and your iptables rules.  Our
biggest bottleneck in snort_inline has been and probably always will
be ip_queue.  I'm using snort_inline on decent hardware to protect an
54mb link and I haven't ever had any complaints about speed.  So it is
hard for me to judge if it is something in the code that we need to
fix or if it is just a configuration issue.

Regards,

Will

On Thu, 07 Oct 2004 15:26:44 -0400, Justin Azoff
<ja...@ua...> wrote:
> I purposely put snort_inline on an underpowered box to see how well it
> would scale to 100mbit (not very well as it turns out:-)).
> 
> I was trying to work out ways to reduce the number of packets sent
> through snort.  At first I came up with something like:
> 
> iptables -A forward -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A forward -j QUEUE
> 
> which works to limit the packets going through snort, but will obviously
> cause snort to miss any attack that is broken up across many packets, or
> any attack that needs to establish a session first(like logging in to an
> anonymous ftp server).
> 
> In looking at the l7-filter stuff for linux, they have the following
> feature:
> 
> """
> By default, l7-filter looks at the first 8 packets or 2kB, whichever is
> smaller. You can alter the number of packets through
> /proc/net/layer7_numpackets. i.e. "echo "12" >
> /proc/net/layer7_numpackets". You can alter the maximum data size by
> recompiling the kernel with a larger value for "Buffer size for
> application layer data" (CONFIG_IP_NF_MATCH_LAYER7_MAXDATALEN).
> """
> 
> I was wondering if snort_inline could be made to work the same way.  I
> think all that is needed is a hacked up ip_queue module, but it might be
> more complicated than that.
> 
> Does anyone have any thoughts on this idea?
> 
> --
> -- Justin Azoff
> -- Network Performance Analyst
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>