Hi
We have implmented snort-inline .
For testing purpose we removed all the rules .
setup will be like below
APC -sytem -------ROUTER--- SNORT-INLINE------ BPC-system
WHEN WE TRY TO DO telnet from BPC -system to router snort-inline
preventing the telnet session
snort-inline is in bridge mode. when we remove the iptables rules it
is working fine without any issue.
Any suggestion welcome
Iptables rules used
iptables -t mangle -A FORWARD -p tcp -s xxxx --syn -m state --state
NEW -j MARK --set-mark 1
iptables -t mangle -A FORWARD -p tcp -s xxxx -m state --state
ESTABLISHED -j MARK --set-mark 2
iptables -A FORWARD -s xxxx -j QUEUE
snort.conf file
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
var AIM_SERVERS
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
var RULE_PATH /usr/local/rules/rules
preprocessor flow: stats_interval 0 hash 2
preprocessor frag2
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor telnet_decode: 23 25 21 119
include classification.config
include reference.config
#include $RULE_PATH/local.rules
#include $RULE_PATH/bad-traffic.rules
#include $RULE_PATH/exploit.rules
#include $RULE_PATH/scan.rules
#include $RULE_PATH/finger.rules
#include $RULE_PATH/ftp.rules
#include $RULE_PATH/telnet.rules
Regards
tmv
"Success comes to the person who does today"
|
