Menu
▾
▴
snort-inline-users
|
From: Alberto Z. <al...@in...> - 2007-07-19 21:09:34
|
I'm a newbie but I didn't found any help in previous messages. I just compiled snort_inline 2.6.1.5 on a gentoo linux server using the howto at http://linuxgazette.net/117/savage.html, I downloaded the rules via oinkmaster and I subtituted all "alert" with "drop", but snort don't drop any packet, only alert. The strange thing is the rules application order where the pass rule is just before the drop rule like a startup with -o flag. The server use hardened sources and selinux. Can you help me please? Thanks, Alberto linux # /usr/local/bin/snort_inline -Qv -c /etc/snort_inline/snort_inline.conf Reading from iptables Running in IDS mode Initializing Inline mode=20 --=3D=3D Initializing Snort =3D=3D-- Initializing Output Plugins! Var 'eth1_ADDRESS' defined, value len =3D 30 chars, value =3D 87.238.232.224/255.255.255.240 Var 'eth2_ADDRESS' defined, value len =3D 28 chars, value =3D 87.238.232.0/255.255.255.128 Var 'eth3_ADDRESS' defined, value len =3D 30 chars, value =3D 87.238.232.136/255.255.255.252 Var 'eth4_ADDRESS' defined, value len =3D 30 chars, value =3D 87.238.232.140/255.255.255.252 Var 'any_ADDRESS' defined, value len =3D 15 chars, value =3D 0.0.0.0/0.0.0.= 0 Var 'lo_ADDRESS' defined, value len =3D 19 chars, value =3D 127.0.0.0/255.0.0.0 Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /etc/snort_inline/snort_inline.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... Var 'HOME_NET' defined, value len =3D 3 chars, value =3D any Var 'HONEYNET' defined, value len =3D 3 chars, value =3D any Var 'EXTERNAL_NET' defined, value len =3D 3 chars, value =3D any Var 'SMTP_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'TELNET_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'HTTP_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'SQL_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'DNS_SERVERS' defined, value len =3D 3 chars, value =3D any Var 'HTTP_PORTS' defined, value len =3D 2 chars, value =3D 80 Var 'SHELLCODE_PORTS' defined, value len =3D 3 chars, value =3D !80 Var 'ORACLE_PORTS' defined, value len =3D 4 chars, value =3D 1521 Var 'SSH_PORTS' defined, value len =3D 2 chars, value =3D 22 Var 'AIM_SERVERS' defined, value len =3D 185 chars [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,2= 05.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] Var 'RULE_PATH' defined, value len =3D 28 chars, value =3D /etc/snort_inline/drop-rules ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- stream4inline mode enabled truncating mode enabled Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 3600 seconds Session memory cap: 134217728 bytes Session count max: 8192 sessions Session cleanup count: 5 State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: ACTIVE and DROPPING Midstream Drop Alerts: INACTIVE Allow Blocking of TCP Sessions in Inline: ACTIVE Server Data Inspection Limit: -1 Inline-mode options: Inline-mode enabled? (stream4inline): Yes Scan mode? (scan_stream_only): Both packet and stream Sliding Windowsize (window_size): 3000 Memcap reached method (truncate): Truncate Truncate percentage (truncate_percentage): 33 Store/Load state from/to disk: No Max out-of-order packets in a stream (max_ooo_pkts): 5 Max out-of-order bytes in a stream (max_ooo_bytes): 5000 Max sequence holes in a stream (max_seq_holes): 2 Normalize wscale max (norm_wscale_max): 2 Perform window scale normaliztion: Yes Disable out-of-order packet drop: No Disable out-of-order packet drop: No Disable sequence hole packet drop: No Max sequence holes in a stream (max_seq_holes): 2 Disable wscale normalization alerts (disable_norm_wscale_alerts): No Disable out-of-order alerts (disable_ooo_alerts): No Drop bad RST packets? (drop_bad_rst): No Disable evasive retransmission packet drop: No Disable out-of-window packet drop: No Disable all protocol violation drops: No WARNING /etc/snort_inline/snort_inline.conf(368) =3D> flush_behavior set in config file, using old static flushpoints (0) Stream4_reassemble config: Server reassembly: ACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE Flush stream on alert: INACTIVE flush_data_diff_size: 500 Reassembler Packet Preferance : Favor New Packet Sequence Overlap Limit: -1 Flush behavior: Small (<255 bytes) Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306=20 Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306=20 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: /etc/snort_inline/unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Server profile: All Ports: 80 8080 8180=20 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE Whitespace Characters: 0x09 0x0b 0x0c 0x0d=20 rpc_decode arguments: Ports to decode RPC on: 111 32771=20 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 6152 Snort rules read... 6152 Option Chains linked into 185 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Tagged Packet Limit: 256 InitInline stage 2: InitInlinePostConfig starting... +-----------------------[thresholding-config]------------------------------= ---- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]------------------------------= ---- | none +-----------------------[thresholding-local]-------------------------------= ---- | gen-id=3D1 sig-id=3D2275 type=3DThreshold tracking=3Ddst count= =3D5 seconds=3D60=20 | gen-id=3D1 sig-id=3D5321 type=3DLimit tracking=3Dsrc count= =3D1 seconds=3D60=20 | gen-id=3D1 sig-id=3D3273 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D3527 type=3DLimit tracking=3Ddst count= =3D5 seconds=3D60=20 | gen-id=3D1 sig-id=3D4984 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D2923 type=3DThreshold tracking=3Ddst count= =3D10 seconds=3D60=20 | gen-id=3D1 sig-id=3D3152 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D2523 type=3DBoth tracking=3Ddst count= =3D10 seconds=3D10=20 | gen-id=3D1 sig-id=3D5323 type=3DLimit tracking=3Dsrc count= =3D1 seconds=3D60=20 | gen-id=3D1 sig-id=3D5322 type=3DLimit tracking=3Dsrc count= =3D1 seconds=3D60=20 | gen-id=3D1 sig-id=3D3543 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 | gen-id=3D1 sig-id=3D2924 type=3DThreshold tracking=3Ddst count= =3D10 seconds=3D60=20 | gen-id=3D1 sig-id=3D3542 type=3DThreshold tracking=3Dsrc count= =3D5 seconds=3D2 =20 +-----------------------[suppression]--------------------------------------= ---- | none ---------------------------------------------------------------------------= ---- Rule application order: ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->re= jectdst->alert->log Log directory =3D /var/log/snort Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... d= one Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so..= . done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.s= o... done Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... d= one Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... = done Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ FTPTelnet Config: GLOBAL CONFIG Inspection Type: stateful Check for Encrypted Traffic: YES alert: YES Continue to check encrypted data: NO TELNET CONFIG: Ports: 23=20 Are You There Threshold: 200 Normalize: YES Detect Anomalies: NO FTP CONFIG: FTP Server: default Ports: 21=20 Check for Telnet Cmds: YES alert: YES Identify open data channels: YES FTP Client: default Check for Bounce Attacks: YES alert: YES Check for Telnet Cmds: YES alert: YES Max Response Length: 256 SMTP Config: Ports: 25=20 Inspection Type: STATEFUL Normalize Spaces: YES Ignore Data: NO Ignore TLS Data: NO Ignore Alerts: NO Max Command Length: 0 Max Header Line Length: 0 Max Response Line Length: 0 X-Link2State Alert: YES Drop on X-Link2State Alert: NO DCE/RPC Decoder config: Autodetect ports ENABLED SMB fragmentation ENABLED DCE/RPC fragmentation ENABLED Max Frag Size: 3000 bytes Memcap: 100000 KB Alert if memcap exceeded DISABLED DNS config:=20 DNS Client rdata txt Overflow Alert: ACTIVE Obsolete DNS RR Types Alert: INACTIVE Experimental DNS RR Types Alert: INACTIVE Ports: 53 Verifying Preprocessor Configurations! Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. 50 out of 512 flowbits in use. Setting the Packet Processor to decode packets from iptables database: compiled support for ( postgresql ) database: configured to use postgresql database: user =3D snort database: password is set database: database name =3D snort_log database: host =3D localhost Node unique name is: unknown:NULL database: sensor name =3D unknown:NULL database: sensor id =3D 2 database: schema version =3D 107 database: using the "log" facility +--[Pattern Matcher:Aho-Corasick Summary]---------------------- | Alphabet Size : 256 Chars | Sizeof State : 2 bytes | Storage Format : Full=20 | Num States : 103504 | Num Transitions : 4125009 | State Density : 15.6% | Finite Automatum : DFA | Memory : 163.78Mbytes +------------------------------------------------------------- --=3D=3D Initialization Complete =3D=3D-- ,,_ -*> Snort_Inline! <*- o" )~ Version 2.6.1.5 (Build 59) inline=20 '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html Snort_Inline Mod by William Metcalf, Victor Julien, Nick Rogness, Dave Remien, Rob McMillen and Jed Haile (C) Copyright 1998-2007 Sourcefire Inc., et al. Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11> Preprocessor Object: SF_SMTP Version 1.0 <Build 7> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10> Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> Preprocessor Object: SF_DNS Version 1.0 <Build 2> Not Using PCAP_FRAMES |
|
From: Will M. <wil...@gm...> - 2007-07-19 23:32:31
|
what do your iptables rules look like? Regards, Will On 7/19/07, Alberto Zuin <al...@in...> wrote: > > I'm a newbie but I didn't found any help in previous messages. > I just compiled snort_inline 2.6.1.5 on a gentoo linux server using the > howto at http://linuxgazette.net/117/savage.html, I downloaded the rules > via oinkmaster and I subtituted all "alert" with "drop", but snort don't > drop any packet, only alert. > The strange thing is the rules application order where the pass rule is > just before the drop rule like a startup with -o flag. > The server use hardened sources and selinux. > Can you help me please? > Thanks, > Alberto > > > linux # /usr/local/bin/snort_inline -Qv > -c /etc/snort_inline/snort_inline.conf > Reading from iptables > Running in IDS mode > Initializing Inline mode > > --== Initializing Snort ==-- > Initializing Output Plugins! > Var 'eth1_ADDRESS' defined, value len = 30 chars, value = > 87.238.232.224/255.255.255.240 > Var 'eth2_ADDRESS' defined, value len = 28 chars, value = > 87.238.232.0/255.255.255.128 > Var 'eth3_ADDRESS' defined, value len = 30 chars, value = > 87.238.232.136/255.255.255.252 > Var 'eth4_ADDRESS' defined, value len = 30 chars, value = > 87.238.232.140/255.255.255.252 > Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0 > Var 'lo_ADDRESS' defined, value len = 19 chars, value = > 127.0.0.0/255.0.0.0 > Initializing Preprocessors! > Initializing Plug-ins! > Parsing Rules file /etc/snort_inline/snort_inline.conf > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > Var 'HOME_NET' defined, value len = 3 chars, value = any > Var 'HONEYNET' defined, value len = 3 chars, value = any > Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any > Var 'SMTP_SERVERS' defined, value len = 3 chars, value = any > Var 'TELNET_SERVERS' defined, value len = 3 chars, value = any > Var 'HTTP_SERVERS' defined, value len = 3 chars, value = any > Var 'SQL_SERVERS' defined, value len = 3 chars, value = any > Var 'DNS_SERVERS' defined, value len = 3 chars, value = any > Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80 > Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80 > Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521 > Var 'SSH_PORTS' defined, value len = 2 chars, value = 22 > Var 'AIM_SERVERS' defined, value len = 185 chars > > [ > 64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9 > .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] > Var 'RULE_PATH' defined, value len = 28 chars, value > = /etc/snort_inline/drop-rules > ,-----------[Flow Config]---------------------- > | Stats Interval: 0 > | Hash Method: 2 > | Memcap: 10485760 > | Rows : 4099 > | Overhead Bytes: 16400(%0.16) > `---------------------------------------------- > stream4inline mode enabled > truncating mode enabled > Stream4 config: > Stateful inspection: ACTIVE > Session statistics: INACTIVE > Session timeout: 3600 seconds > Session memory cap: 134217728 bytes > Session count max: 8192 sessions > Session cleanup count: 5 > State alerts: INACTIVE > Evasion alerts: INACTIVE > Scan alerts: INACTIVE > Log Flushed Streams: INACTIVE > MinTTL: 1 > TTL Limit: 5 > Async Link: 0 > State Protection: 0 > Self preservation threshold: 50 > Self preservation period: 90 > Suspend threshold: 200 > Suspend period: 30 > Enforce TCP State: ACTIVE and DROPPING > Midstream Drop Alerts: INACTIVE > Allow Blocking of TCP Sessions in Inline: ACTIVE > Server Data Inspection Limit: -1 > Inline-mode options: > Inline-mode enabled? (stream4inline): Yes > Scan mode? (scan_stream_only): Both packet and stream > Sliding Windowsize (window_size): 3000 > Memcap reached method (truncate): Truncate > Truncate percentage (truncate_percentage): 33 > Store/Load state from/to disk: No > Max out-of-order packets in a stream (max_ooo_pkts): 5 > Max out-of-order bytes in a stream (max_ooo_bytes): 5000 > Max sequence holes in a stream (max_seq_holes): 2 > Normalize wscale max (norm_wscale_max): 2 > Perform window scale normaliztion: Yes > Disable out-of-order packet drop: No > Disable out-of-order packet drop: No > Disable sequence hole packet drop: No > Max sequence holes in a stream (max_seq_holes): 2 > Disable wscale normalization alerts > (disable_norm_wscale_alerts): No > Disable out-of-order alerts (disable_ooo_alerts): No > Drop bad RST packets? (drop_bad_rst): No > Disable evasive retransmission packet drop: No > Disable out-of-window packet drop: No > Disable all protocol violation drops: No > WARNING /etc/snort_inline/snort_inline.conf(368) => flush_behavior set > in config file, using old static flushpoints (0) > Stream4_reassemble config: > Server reassembly: ACTIVE > Client reassembly: ACTIVE > Reassembler alerts: ACTIVE > Zero out flushed packets: INACTIVE > Flush stream on alert: INACTIVE > flush_data_diff_size: 500 > Reassembler Packet Preferance : Favor New > Packet Sequence Overlap Limit: -1 > Flush behavior: Small (<255 bytes) > Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 > 1521 3306 > Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 > 513 1433 1521 3306 > HttpInspect Config: > GLOBAL CONFIG > Max Pipeline Requests: 0 > Inspection Type: STATELESS > Detect Proxy Usage: NO > IIS Unicode Map Filename: /etc/snort_inline/unicode.map > IIS Unicode Map Codepage: 1252 > DEFAULT SERVER CONFIG: > Server profile: All > Ports: 80 8080 8180 > Flow Depth: 300 > Max Chunk Length: 500000 > Inspect Pipeline Requests: YES > URI Discovery Strict Mode: NO > Allow Proxy Usage: NO > Disable Alerting: NO > Oversize Dir Length: 500 > Only inspect URI: NO > Ascii: YES alert: NO > Double Decoding: YES alert: YES > %U Encoding: YES alert: YES > Bare Byte: YES alert: YES > Base36: OFF > UTF 8: OFF > IIS Unicode: YES alert: YES > Multiple Slash: YES alert: NO > IIS Backslash: YES alert: NO > Directory Traversal: YES alert: NO > Web Root Traversal: YES alert: YES > Apache WhiteSpace: YES alert: NO > IIS Delimiter: YES alert: NO > IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG > Non-RFC Compliant Characters: NONE > Whitespace Characters: 0x09 0x0b 0x0c 0x0d > rpc_decode arguments: > Ports to decode RPC on: 111 32771 > alert_fragments: INACTIVE > alert_large_fragments: ACTIVE > alert_incomplete: ACTIVE > alert_multiple_requests: ACTIVE > Portscan Detection Config: > Detect Protocols: TCP UDP ICMP IP > Detect Scan Type: portscan portsweep decoy_portscan > distributed_portscan > Sensitivity Level: Low > Memcap (in bytes): 10000000 > Number of Nodes: 36900 > > 6152 Snort rules read... > 6152 Option Chains linked into 185 Chain Headers > 0 Dynamic rules > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > Tagged Packet Limit: 256 > InitInline stage 2: InitInlinePostConfig starting... > > > +-----------------------[thresholding-config]---------------------------------- > | memory-cap : 1048576 bytes > > +-----------------------[thresholding-global]---------------------------------- > | none > > +-----------------------[thresholding-local]----------------------------------- > | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 > seconds=60 > | gen-id=1 sig-id=5321 type=Limit tracking=src count=1 > seconds=60 > | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 > seconds=60 > | gen-id=1 sig-id=4984 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 > seconds=60 > | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 > seconds=10 > | gen-id=1 sig-id=5323 type=Limit tracking=src count=1 > seconds=60 > | gen-id=1 sig-id=5322 type=Limit tracking=src count=1 > seconds=60 > | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 > seconds=2 > | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 > seconds=60 > | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 > seconds=2 > > +-----------------------[suppression]------------------------------------------ > | none > > ------------------------------------------------------------------------------- > Rule application order: > > ->activation->dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert->log > Log directory = /var/log/snort > Loading dynamic > engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done > Loading all dynamic preprocessor libs > from /usr/local/lib/snort_dynamicpreprocessor/... > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... > done > Loading dynamic preprocessor > library > /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done > Loading dynamic preprocessor > library > /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... > done > Loading dynamic preprocessor > library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... > done > Finished Loading all dynamic preprocessor libs > from /usr/local/lib/snort_dynamicpreprocessor/ > FTPTelnet Config: > GLOBAL CONFIG > Inspection Type: stateful > Check for Encrypted Traffic: YES alert: YES > Continue to check encrypted data: NO > TELNET CONFIG: > Ports: 23 > Are You There Threshold: 200 > Normalize: YES > Detect Anomalies: NO > FTP CONFIG: > FTP Server: default > Ports: 21 > Check for Telnet Cmds: YES alert: YES > Identify open data channels: YES > FTP Client: default > Check for Bounce Attacks: YES alert: YES > Check for Telnet Cmds: YES alert: YES > Max Response Length: 256 > SMTP Config: > Ports: 25 > Inspection Type: STATEFUL > Normalize Spaces: YES > Ignore Data: NO > Ignore TLS Data: NO > Ignore Alerts: NO > Max Command Length: 0 > Max Header Line Length: 0 > Max Response Line Length: 0 > X-Link2State Alert: YES > Drop on X-Link2State Alert: NO > > DCE/RPC Decoder config: > Autodetect ports ENABLED > SMB fragmentation ENABLED > DCE/RPC fragmentation ENABLED > Max Frag Size: 3000 bytes > Memcap: 100000 KB > Alert if memcap exceeded DISABLED > > DNS config: > DNS Client rdata txt Overflow Alert: ACTIVE > Obsolete DNS RR Types Alert: INACTIVE > Experimental DNS RR Types Alert: INACTIVE > Ports: 53 > Verifying Preprocessor Configurations! > Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. > Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. > Warning: flowbits key 'realplayer.playlist' is checked but not ever set. > 50 out of 512 flowbits in use. > Setting the Packet Processor to decode packets from iptables > database: compiled support for ( postgresql ) > database: configured to use postgresql > database: user = snort > database: password is set > database: database name = snort_log > database: host = localhost > Node unique name is: unknown:NULL > > database: sensor name = unknown:NULL > database: sensor id = 2 > database: schema version = 107 > database: using the "log" facility > +--[Pattern Matcher:Aho-Corasick Summary]---------------------- > | Alphabet Size : 256 Chars > | Sizeof State : 2 bytes > | Storage Format : Full > | Num States : 103504 > | Num Transitions : 4125009 > | State Density : 15.6% > | Finite Automatum : DFA > | Memory : 163.78Mbytes > +------------------------------------------------------------- > > --== Initialization Complete ==-- > > ,,_ -*> Snort_Inline! <*- > o" )~ Version 2.6.1.5 (Build 59) inline > '''' By Martin Roesch & The Snort Team: > http://www.snort.org/team.html > Snort_Inline Mod by William Metcalf, Victor Julien, Nick > Rogness, > Dave Remien, Rob McMillen and Jed Haile > (C) Copyright 1998-2007 Sourcefire Inc., et al. > > Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build > 11> > Preprocessor Object: SF_SMTP Version 1.0 <Build 7> > Preprocessor Object: SF_SSH Version 1.0 <Build 1> > Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10> > Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> > Preprocessor Object: SF_DNS Version 1.0 <Build 2> > Not Using PCAP_FRAMES > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > |
|
From: Alberto Z. <al...@in...> - 2007-07-20 05:45:23
|
Excuse me, but didn't reply to list... I'm using shorewall to configure iptabls and my policy file is=20 $FW net ACCEPT $FW dmz ACCEPT $FW lea ACCEPT $FW clu ACCEPT lea $FW ACCEPT clu $FW ACCEPT dmz $FW ACCEPT lea net ACCEPT lea dmz ACCEPT dmz net ACCEPT pin net ACCEPT pin dmz ACCEPT net all DROP info all all REJECT info and my rules file is: QUEUE net fw icmp QUEUE net fw tcp 179 QUEUE net fw udp 179 QUEUE net fw tcp 41 QUEUE net fw udp 41 QUEUE net fw tcp 80 QUEUE net dmz icmp QUEUE net dmz tcp 41 QUEUE net dmz udp 41 ACCEPT net dmz:87.238.232.7 tcp 22 QUEUE net dmz:87.238.232.7 tcp 80 You can try to launch nmap -v 87.238.232.7, this is the output: Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-20 07:41 CEST Machine 87.238.232.7 MIGHT actually be listening on probe port 80 Initiating Parallel DNS resolution of 1 host. at 07:41 Completed Parallel DNS resolution of 1 host. at 07:41, 0.03s elapsed Initiating Connect() Scan at 07:41 Scanning napoli.leaproject.it (87.238.232.7) [1697 ports] Discovered open port 22/tcp on 87.238.232.7 Discovered open port 80/tcp on 87.238.232.7 Connect() Scan Timing: About 32.51% done; ETC: 07:43 (0:01:02 remaining) Completed Connect() Scan at 07:43, 89.75s elapsed (1697 total ports) Host napoli.leaproject.it (87.238.232.7) appears to be up ... good. Interesting ports on napoli.leaproject.it (87.238.232.7): Not shown: 1693 filtered ports PORT STATE SERVICE 22/tcp open ssh 41/tcp closed graphics 80/tcp open http 113/tcp closed auth Nmap finished: 1 IP address (1 host up) scanned in 91.956 seconds And in snort_inline-fast log: 07/20-07:41:26.446420 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 62.123.168.250:42081 -> 87.238.232.7:80 07/20-07:42:12.812348 [**] [111:29:1] (spp_stream4) TCP wscale option normalized [**] {TCP} 62.123.168.250:39906 -> 87.238.232.7:41 My iptables -L: Chain INPUT (policy DROP) target prot opt source destination =20 ACCEPT all -- anywhere anywhere =20 eth0_in all -- anywhere anywhere =20 eth1_in all -- anywhere anywhere =20 eth2_in all -- anywhere anywhere =20 eth3_in all -- anywhere anywhere =20 eth4_in all -- anywhere anywhere =20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'=20 reject all -- anywhere anywhere =20 Chain FORWARD (policy DROP) target prot opt source destination =20 eth0_fwd all -- anywhere anywhere =20 eth1_fwd all -- anywhere anywhere =20 eth2_fwd all -- anywhere anywhere =20 eth3_fwd all -- anywhere anywhere =20 eth4_fwd all -- anywhere anywhere =20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'=20 reject all -- anywhere anywhere =20 Chain OUTPUT (policy DROP) target prot opt source destination =20 ACCEPT all -- anywhere anywhere =20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 fw2clu all -- anywhere anywhere =20 fw2net all -- anywhere anywhere =20 fw2dmz all -- anywhere anywhere =20 fw2lea all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'=20 reject all -- anywhere anywhere =20 Chain Drop (1 references) target prot opt source destination =20 reject tcp -- anywhere anywhere tcp dpt:auth=20 dropBcast all -- anywhere anywhere =20 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed=20 ACCEPT icmp -- anywhere anywhere icmp time-exceeded=20 dropInvalid all -- anywhere anywhere =20 DROP udp -- anywhere anywhere udp dpt:epmap=20 DROP udp -- anywhere anywhere udp dpt:microsoft-ds=20 DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn=20 DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535=20 DROP tcp -- anywhere anywhere tcp dpt:epmap=20 DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn=20 DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds=20 DROP udp -- anywhere anywhere udp dpt:1900=20 dropNotSyn tcp -- anywhere anywhere =20 DROP udp -- anywhere anywhere udp spt:domain=20 Chain Reject (4 references) target prot opt source destination =20 reject tcp -- anywhere anywhere tcp dpt:auth=20 dropBcast all -- anywhere anywhere =20 ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed=20 ACCEPT icmp -- anywhere anywhere icmp time-exceeded=20 dropInvalid all -- anywhere anywhere =20 reject udp -- anywhere anywhere udp dpt:epmap=20 reject udp -- anywhere anywhere udp dpt:microsoft-ds=20 reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn=20 reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535=20 reject tcp -- anywhere anywhere tcp dpt:epmap=20 reject tcp -- anywhere anywhere tcp dpt:netbios-ssn=20 reject tcp -- anywhere anywhere tcp dpt:microsoft-ds=20 DROP udp -- anywhere anywhere udp dpt:1900=20 dropNotSyn tcp -- anywhere anywhere =20 DROP udp -- anywhere anywhere udp spt:domain=20 Chain all2all (13 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 Reject all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'=20 reject all -- anywhere anywhere =20 Chain clu2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain dmz2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain dmz2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain dropBcast (2 references) target prot opt source destination =20 DROP all -- anywhere anywhere PKTTYPE =3D broadcast=20 DROP all -- anywhere anywhere PKTTYPE =3D multicast=20 Chain dropInvalid (2 references) target prot opt source destination =20 DROP all -- anywhere anywhere state INVALID=20 Chain dropNotSyn (2 references) target prot opt source destination =20 DROP tcp -- anywhere anywhere tcp flags:! FIN,SYN,RST,ACK/SYN=20 Chain dynamic (10 references) target prot opt source destination =20 Chain eth0_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth0_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 clu2fw all -- anywhere anywhere =20 Chain eth1_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 net2all all -- anywhere anywhere =20 net2dmz all -- anywhere anywhere =20 net2all all -- anywhere anywhere =20 net2all all -- anywhere anywhere =20 Chain eth1_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 net2fw all -- anywhere anywhere =20 Chain eth2_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 dmz2net all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth2_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 dmz2fw all -- anywhere anywhere =20 Chain eth3_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 lea2net all -- anywhere anywhere =20 lea2dmz all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth3_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 lea2fw all -- anywhere anywhere =20 Chain eth4_fwd (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 all2all all -- anywhere anywhere =20 pin2net all -- anywhere anywhere =20 pin2dmz all -- anywhere anywhere =20 all2all all -- anywhere anywhere =20 Chain eth4_in (1 references) target prot opt source destination =20 dynamic all -- anywhere anywhere state INVALID,NEW=20 ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc=20 all2all all -- anywhere anywhere =20 Chain fw2clu (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain fw2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain fw2lea (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain fw2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain lea2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain lea2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain lea2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain logdrop (0 references) target prot opt source destination =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logdrop:DROP:'=20 DROP all -- anywhere anywhere =20 Chain logreject (0 references) target prot opt source destination =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logreject:REJECT:'=20 reject all -- anywhere anywhere =20 Chain net2all (5 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 Drop all -- anywhere anywhere =20 LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2all:DROP:'=20 DROP all -- anywhere anywhere =20 Chain net2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 QUEUE icmp -- anywhere anywhere =20 QUEUE tcp -- anywhere anywhere tcp dpt:graphics=20 QUEUE udp -- anywhere anywhere udp dpt:graphics=20 ACCEPT tcp -- anywhere napoli.leaproject.it tcp dpt:ssh=20 QUEUE tcp -- anywhere napoli.leaproject.it tcp dpt:http=20 net2all all -- anywhere anywhere =20 Chain net2fw (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 QUEUE icmp -- anywhere anywhere =20 QUEUE tcp -- anywhere anywhere tcp dpt:bgp=20 QUEUE udp -- anywhere anywhere udp dpt:bgp=20 QUEUE tcp -- anywhere anywhere tcp dpt:graphics=20 QUEUE udp -- anywhere anywhere udp dpt:graphics=20 QUEUE tcp -- anywhere anywhere tcp dpt:http=20 net2all all -- anywhere anywhere =20 Chain pin2dmz (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain pin2net (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED=20 ACCEPT all -- anywhere anywhere =20 Chain reject (14 references) target prot opt source destination =20 DROP all -- 255.255.255.255 anywhere =20 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere =20 DROP all -- anywhere anywhere PKTTYPE =3D broadcast=20 DROP all -- anywhere anywhere PKTTYPE =3D multicast=20 DROP all -- 255.255.255.255 anywhere =20 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere =20 REJECT tcp -- anywhere anywhere reject-with tcp-reset=20 REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable=20 REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable=20 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited=20 Chain shorewall (0 references) target prot opt source destination =20 Chain smurfs (0 references) target prot opt source destination =20 LOG all -- 172.20.10.3 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 172.20.10.3 anywhere =20 LOG all -- 87.238.232.239 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.239 anywhere =20 LOG all -- 87.238.232.127 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.127 anywhere =20 LOG all -- 87.238.232.139 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.139 anywhere =20 LOG all -- 87.238.232.143 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 87.238.232.143 anywhere =20 LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- 255.255.255.255 anywhere =20 LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'=20 DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere =20 Thanks, Alberto Il giorno gio, 19/07/2007 alle 18.32 -0500, Will Metcalf ha scritto: > what do your iptables rules look like? >=20 > Regards, >=20 > Will >=20 > On 7/19/07, Alberto Zuin <al...@in... > wrote: > I'm a newbie but I didn't found any help in previous messages. > I just compiled snort_inline 2.6.1.5 on a gentoo linux server > using the > howto at http://linuxgazette.net/117/savage.html, I downloaded > the rules=20 > via oinkmaster and I subtituted all "alert" with "drop", but > snort don't > drop any packet, only alert. > The strange thing is the rules application order where the > pass rule is > just before the drop rule like a startup with -o flag.=20 > The server use hardened sources and selinux. > Can you help me please? > Thanks, > Alberto > =20 |
|
From: <per...@gm...> - 2007-07-20 18:20:33
|
Shorewall is not compatible with snort-inline. That's it. If you have to use a high-level interface to iptables, try Victor Julien's Vuurmuur. http://vuurmuur.sourceforge.net/ It's excellent and integrates quite well with snort-inline. -- Cheers, Francisco |
|
From: Alberto Z. <al...@in...> - 2007-07-22 08:43:48
|
I just tried vuurmuur, very beautiful system, the ncurses interface can
make my life more easier: many thanks for the suggestion. I didn't found
any reference to any traffic shaping fuctionality except in future
plans, but at the moment is not an important feauture for me.
But the problem is still alive: when a malicious packet go to
snort_inline, is detected and in snort_inline-fast log is marked by
drop(for example 07/21-10:42:41.215672 [Drop] [**] [1:4626:4] Port 80
connection initiated [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 77.42.112.123:45799 -> 87.238.232.7:80), but
it pass through, not dropped.
Can someone check the rule application order in snort_inline log? In my
system is
dynamic->pass->drop->sdrop->reject->rejectboth->rejectsrc->rejectdst->alert=
->log
and it seems incorrect.
Now this is my iptables -L -n:
Chain INPUT (policy DROP)
target prot opt source destination =20
PRE-VRMR-INPUT all -- 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth0 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth2 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth3 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth4 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth1 all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe ALL '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe PSH '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe URG '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP no SYN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW=20
LOG all -f 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP FRAG '=20
DROP all -f 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state ESTABLISHED=20
NEWACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state RELATED=20
QUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state ESTABLISHED=20
NEWQUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state RELATED=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP
in INVALID '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID=20
BLOCKLIST all -- 0.0.0.0/0 0.0.0.0/0 =20
ANTISPOOF all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG tcp -- 87.238.232.0/25 87.238.232.1 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT inc. http '=20
NEWACCEPT tcp -- 87.238.232.0/25 87.238.232.1 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 87.238.232.136/30 87.238.232.137 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT inc. http '=20
NEWACCEPT tcp -- 87.238.232.136/30 87.238.232.137 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 87.238.232.136/30 87.238.232.137 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT incoming ssh '=20
NEWACCEPT tcp -- 87.238.232.136/30 87.238.232.137 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW=20
LOG tcp -- 87.238.232.0/25 87.238.232.1 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT incoming ssh '=20
NEWACCEPT tcp -- 87.238.232.0/25 87.238.232.1 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW=20
NEWACCEPT all -- 87.238.232.140/30 0.0.0.0/0 state NEW=20
NEWACCEPT all -- 87.238.232.136/30 0.0.0.0/0 state NEW=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
30/sec burst 60 LOG flags 0 level 6 prefix `vrmr: DROP in policy '=20
Chain FORWARD (policy DROP)
target prot opt source destination =20
PRE-VRMR-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth0 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth0 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth2 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth2 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth3 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth3 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth4 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth4 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth1 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth1 all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe ALL '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe PSH '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe URG '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP no SYN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW=20
LOG all -f 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP FRAG '=20
DROP all -f 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state ESTABLISHED=20
NEWACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state RELATED=20
QUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state ESTABLISHED=20
NEWQUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state RELATED=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP
fw INVALID '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID=20
BLOCKLIST all -- 0.0.0.0/0 0.0.0.0/0 =20
ANTISPOOF all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG icmp -- 0.0.0.0/0 87.238.232.7 icmp type 8
code 0 state NEW LOG flags 0 level 6 prefix `vrmr: QUEUE '=20
NEWQUEUE icmp -- 0.0.0.0/0 87.238.232.7 icmp type 8
code 0 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: QUEUE '=20
NEWQUEUE tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
NEWACCEPT all -- 87.238.232.140/30 0.0.0.0/0 state NEW=20
NEWACCEPT all -- 87.238.232.136/30 0.0.0.0/0 state NEW=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
30/sec burst 60 LOG flags 0 level 6 prefix `vrmr: DROP fw policy '=20
Chain OUTPUT (policy DROP)
target prot opt source destination =20
PRE-VRMR-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth0 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth2 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth3 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth4 all -- 0.0.0.0/0 0.0.0.0/0 =20
ACC-eth1 all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe ALL '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe SYN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN-RST '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x05/0x05=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe FIN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x11/0x01=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe PSH '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x18/0x08=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20 limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP probe URG '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x30/0x20=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix
`vrmr: DROP no SYN '=20
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!
0x17/0x02 state NEW=20
LOG all -f 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP FRAG '=20
DROP all -f 0.0.0.0/0 0.0.0.0/0 =20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state ESTABLISHED=20
NEWACCEPT all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x0/0xff000000 state RELATED=20
QUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state ESTABLISHED=20
NEWQUEUE all -- 0.0.0.0/0 0.0.0.0/0 MARK match
0x1000000/0xff000000 state RELATED=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID limit: avg 1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP
out INVALID '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 state
INVALID=20
BLOCKLIST all -- 0.0.0.0/0 0.0.0.0/0 =20
ANTISPOOF all -- 0.0.0.0/0 0.0.0.0/0 =20
LOG icmp -- 0.0.0.0/0 87.238.232.7 icmp type 8
code 0 state NEW LOG flags 0 level 6 prefix `vrmr: QUEUE '=20
NEWQUEUE icmp -- 0.0.0.0/0 87.238.232.7 icmp type 8
code 0 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: QUEUE '=20
NEWQUEUE tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.7 tcp
spts:1024:65535 dpt:22 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.18 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 87.238.232.22 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpts:80:81 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:21 flags:0x17/0x02 state NEW=20
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW LOG flags 0 level 6
prefix `vrmr: ACCEPT '=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:443 flags:0x17/0x02 state NEW=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spts:1024:65535 dpt:53 flags:0x17/0x02 state NEW=20
NEWACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:53
dpt:53 flags:0x17/0x02 state NEW=20
NEWACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
spts:1024:65535 dpt:53 state NEW=20
NEWACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
dpt:53 state NEW=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
30/sec burst 60 LOG flags 0 level 6 prefix `vrmr: DROP out policy '=20
Chain ACC-eth0 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ACC-eth1 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ACC-eth2 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ACC-eth3 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ACC-eth4 (4 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain ANTISPOOF (3 references)
target prot opt source destination =20
LOG all -- 10.0.0.0/8 0.0.0.0/0 limit: avg
1/sec burst 5 LOG flags 0 level 6 prefix `vrmr: DROP spoof class-a '=20
DROP all -- 10.0.0.0/8 0.0.0.0/0 =20
LOG all -- 0.0.0.0/0 10.0.0.0/8 limit: avg
1/sec burst 5 LOG flags 0 level 6 prefix `vrmr: DROP spoof class-a '=20
DROP all -- 0.0.0.0/0 10.0.0.0/8 =20
Chain BLOCK (0 references)
target prot opt source destination =20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP BLOCKED '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain BLOCKLIST (3 references)
target prot opt source destination =20
Chain NEWACCEPT (32 references)
target prot opt source destination =20
SYNLIMIT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x02=20
UDPLIMIT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW=20
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain NEWQUEUE (7 references)
target prot opt source destination =20
SYNLIMIT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x02=20
UDPLIMIT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW=20
QUEUE all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain PRE-VRMR-FORWARD (1 references)
target prot opt source destination =20
Chain PRE-VRMR-INPUT (1 references)
target prot opt source destination =20
Chain PRE-VRMR-OUTPUT (1 references)
target prot opt source destination =20
Chain SYNLIMIT (2 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/sec burst 20=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP SYNLIMIT reach. '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0 =20
Chain TCPRESET (0 references)
target prot opt source destination =20
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
reject-with tcp-reset=20
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable=20
Chain UDPLIMIT (2 references)
target prot opt source destination =20
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
15/sec burst 45=20
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
1/sec burst 2 LOG flags 0 level 6 prefix `vrmr: DROP UDPLIMIT reach. '=20
DROP all -- 0.0.0.0/0 0.0.0.0/0=20
Bye,
Alberto
Il giorno ven, 20/07/2007 alle 14.20 -0400, Francisco Mu=C3=B1oz ha scritto=
:
> Shorewall is not compatible with snort-inline. That's it. If you have
> to use a high-level interface to iptables, try Victor Julien's
> Vuurmuur. http://vuurmuur.sourceforge.net/ It's excellent and
> integrates quite well with snort-inline.
>=20
> --=20
> Cheers,
> Francisco
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X