Hi,
I've got snort_inline v 2.3.0 and when I try to ssh to a host behind
the bridge, I get a timeout.
Here's the results of a tcpdump of ssh to a host behind the IPS:
tcpdump: listening on eth0
21:18:31.776454 24.107.136.185.32802 > 192.168.1.2.ssh: S
693332235:693332235(0) win 5840 <mss 1460,sackOK,timestamp 773605864
0,nop,wscale 2> (DF)
21:18:31.776576 192.168.1.2.ssh > 24.107.136.185.32802: S
3705203370:3705203370(0) ack 693332236 win 5840 <mss 1460> (DF)
21:18:31.776664 192.168.1.2.ssh > 24.107.136.185.32802: S
3705203370:3705203370(0) ack 693332236 win 5840 <mss 1460> (DF)
21:18:31.792173 24.107.136.185.32802 > 192.168.1.2.ssh: . ack 1 win 5840 (DF)
21:18:31.793624 192.168.1.2.ssh > 24.107.136.185.32802: P 1:24(23) ack
1 win 5840 (DF)
21:18:31.793740 192.168.1.2.ssh > 24.107.136.185.32802: P 1:24(23) ack
1 win 5840 (DF)
21:18:31.820035 24.107.136.185.32802 > 192.168.1.2.ssh: . ack 24 win 5840 (DF)
192.168.1.2 is the IP of the device behind the IPS. It receives the
packets but it looks like something that is being sent to this host is
being modified where the openssh daemon won't respond. If I remove
the IPS, everything works perfectly.
Here are my iptables rules on the IPS:
iptables -F
#eth0 is for management
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -j QUEUE
Here is my stream4 options in snort.conf
preprocessor stream4: disable_evasion_alerts detect_scans
--
Thanks,
Rich Compton
|
