Menu
▾
▴
snort-inline-users
|
From: <lui...@gm...> - 2004-09-13 13:02:11
|
Heelo, people, I've been brought here by a suggestion somebody at the mailing list of snort game me. First of all, I must say that I'm a complete newbie at snort and any of its sons (such as this one). My approach to snort was motivated because I want to block peer to peer traffic coming in and out of the network I'm managing. So, to put it simple, I need some documentation (the one I couldn't find anywere in the snort-inline site) about how to do this, working together with my existing iptables firewall. I've been reading the snort users and installation guides, my router-firewall came with snort 2.0.6 pre-installed (I'm using Ututo-R as a router-firewall), and I have three NICs, one that connects it with the internet gateway, and the other two that serve as gateways to two class B networks. This are the ones in which I would like to block pper to peer traffic. Thanks in advance, Luis -- ------------------------------------------------- GNU-GPL: "May The Source Be With You... ------------------------------------------------- |
|
From: Victor J. <vi...@nk...> - 2004-09-13 15:43:43
|
Hello Luis, On Monday 13 September 2004 15:02, Luis Hern=E1n Otegui wrote: > Heelo, people, I've been brought here by a suggestion somebody at the > mailing list of snort game me. > First of all, I must say that I'm a complete newbie at snort and any > of its sons (such as this one). My approach to snort was motivated > because I want to block peer to peer traffic coming in and out of the > network I'm managing. > So, to put it simple, I need some documentation (the one I couldn't > find anywere in the snort-inline site) about how to do this, working > together with my existing iptables firewall. The snort_inline part of snort basicly comes down to making sure snort_inli= ne=20 sees the traffic. This can be done by using the QUEUE target in iptables. F= or=20 more information on how to pass the traffic to snort_inline see the=20 documentation in the snort_inline distribution, in the map 'doc', esp.=20 README.INLINE. I suggest you read the snort manual (http://www.snort.org/docs/snort_manual= /)=20 and just load snort_inline with the rules set to alert so you can see what= =20 happens... > I've been reading the snort users and installation guides, my > router-firewall came with snort 2.0.6 pre-installed (I'm using Ututo-R > as a router-firewall), and I have three NICs, one that connects it > with the internet gateway, and the other two that serve as gateways to > two class B networks. This are the ones in which I would like to block > pper to peer traffic. > Thanks in advance, > > Luis =46or blocking p2p you can also look at the layer7 filter project for iptab= les=20 (http://l7-filter.sourceforge.net/) and Ipp2p=20 (http://rnvs.informatik.uni-leipzig.de/ipp2p/docu_en.html). Hope this helps, Victor |
|
From: Eric H. <eri...@ap...> - 2004-09-13 16:29:26
|
List: I have several questions regarding Snort-Inline and hope someone may be able to answer a few, if not all: 1) Does anyone know of any newer operating system distros that have the ebtables/bridging firewall patch implemented into the default kernel other than Redhat 7.3 (e.g. Fedora or other Linux distros) that would not require additional patching of the kernel. 2) We are troubleshooting connectivity issues with a Redhat 7.3 installation of the latest 2.1.3 Snort-Inline release. Can anyone provide a list of troubleshooting steps they take when connectivity becomes an issue? I'm using the RC.FIREWALL script provided on honeynet.org. If anyone can look at the below and let me know if they see anything I've missed, that would be great!: a) Ive made sure ipqueue is loaded with lsmod b) Ive made sure the rc.firewall script started with no errors c) Ive made sure snort_inline was running with -Q d) Ive made sure the 2 interfaces have been bridged and the right cat5 cables are plugged in to the appropriate NIC. e) Ive modified the rc.firewall script to make everything that has DROP set, set to ALLOW. 3) In both customer and internal deployments of Snort-Inline, we continue to use the rc.firewall script from Honeynet even though all deployments have not been for honeynets, rather, just a perimeter IPS. The rc.firewall script is geared towards honeynet deployments. Does anyone know of a different rc script that has been made for non-honeynet deployments that is geared more towards just setting up a bridged snort-inline box that does not do any firewalling and simply passes the traffic straight through the IPS -- none of the fancy ipfilter rules, just ALLOW all rules. For the interim, an ugly hack we've done is to simply do a search/replace on the DROP keyword in the rc.firewall script to ALLOW. Im sure there has got to be someone on this list that has done an Enterprise deployment of Snort-Inline and relied on their already deployed firewalls to handle firewalling and wanted the snort-inline bridge to simply pass all traffic in/out. Someone please advise on any one of these item #s. -- Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, Inc. 1134 N. Main St. Algonquin, IL 60102 Direct: (877) 262-7593 x327 http://www.appliedwatch.com |
|
From: Will M. <wil...@gm...> - 2004-09-13 17:22:09
|
I develop snort_inline on debian linux, If I remember correctly there
is a problem with the QUEUE target in RH 7.3 that was fixed with an
iptables p-o-m. As far as a simple bridging script you might be able
to use something like this.
case "$1" in
start)
echo -n "starting bridge"
#BRIDGE SETUP
echo setting up bridge
/usr/local/sbin/brctl addbr br0
/usr/local/sbin/brctl addif br0 eth0
/usr/local/sbin/brctl addif br0 eth1
/usr/local/sbin/brctl stp br0 off
/sbin/ifconfig -a br0 192.168.1.10 netmask 255.255.255.0
broadcast 192.168.1.255
/sbin/route add default gw 192.168.1.1
#stealth bridge uncomment line below
#ifconfig br0 0.0.0.0
ifconfig br0 up
sleep 10
#SETUP IPTABLES RULES
/usr/local/sbin/iptables -F FORWARD
/usr/local/sbin/iptables -P FORWARD DROP
/usr/local/sbin/iptables -A FORWARD -j QUEUE
sleep 3
echo
;;
stop)
echo -n "Stopping IPS STUFF: ("
/usr/local/sbin/brctl delif br0 eth0
/usr/local/sbin/brctl delif br0 eth1
/sbin/ifconfig br0 down
/usr/local/sbin/brctl delbr br0
/usr/local/sbin/iptables -F FORWARD
/usr/local/sbin/iptables -P FORWARD ACCEPT
echo
;;
restart)
$0 stop
$0 start
;;
status)
status bridge
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0
On Mon, 13 Sep 2004 11:16:56 -0500, Eric Hines
<eri...@ap...> wrote:
> List:
>
> I have several questions regarding Snort-Inline and hope someone may be
> able to answer a few, if not all:
>
> 1) Does anyone know of any newer operating system distros that have the
> ebtables/bridging firewall patch implemented into the default kernel
> other than Redhat 7.3 (e.g. Fedora or other Linux distros) that would
> not require additional patching of the kernel.
>
> 2) We are troubleshooting connectivity issues with a Redhat 7.3
> installation of the latest 2.1.3 Snort-Inline release. Can anyone
> provide a list of troubleshooting steps they take when connectivity
> becomes an issue? I'm using the RC.FIREWALL script provided on
> honeynet.org. If anyone can look at the below and let me know if they
> see anything I've missed, that would be great!:
>
> a) Ive made sure ipqueue is loaded with lsmod
> b) Ive made sure the rc.firewall script started with no errors
> c) Ive made sure snort_inline was running with -Q
> d) Ive made sure the 2 interfaces have been bridged and the right
> cat5 cables are plugged in to the appropriate NIC.
> e) Ive modified the rc.firewall script to make everything that has
> DROP set, set to ALLOW.
>
> 3) In both customer and internal deployments of Snort-Inline, we
> continue to use the rc.firewall script from Honeynet even though all
> deployments have not been for honeynets, rather, just a perimeter IPS.
> The rc.firewall script is geared towards honeynet deployments. Does
> anyone know of a different rc script that has been made for non-honeynet
> deployments that is geared more towards just setting up a bridged
> snort-inline box that does not do any firewalling and simply passes the
> traffic straight through the IPS -- none of the fancy ipfilter rules,
> just ALLOW all rules. For the interim, an ugly hack we've done is to
> simply do a search/replace on the DROP keyword in the rc.firewall script
> to ALLOW. Im sure there has got to be someone on this list that has done
> an Enterprise deployment of Snort-Inline and relied on their already
> deployed firewalls to handle firewalling and wanted the snort-inline
> bridge to simply pass all traffic in/out.
>
> Someone please advise on any one of these item #s.
>
> --
> Best Regards,
>
> Eric Hines, GCIA, CISSP
> CEO, President
> Applied Watch Technologies, Inc.
> 1134 N. Main St.
> Algonquin, IL 60102
> Direct: (877) 262-7593 x327
> http://www.appliedwatch.com
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X