Menu
▾
▴
snort-inline-users
|
From: Swaminathan S. <ssr...@cs...> - 2004-10-12 23:56:13
|
hi all
I am new to snort-inline or even snort. I have been trying to get snort
inline(version 2.2.0 build 30) work on my machine for a very basic setup.
I wanted all the packets in and out of my machine to go through snort
=20
so I setup my iptables with these 2 rules (only these 2 rules)
iptables -A INPUT -j QUEUE
iptables -A OUTPUT -j QUEUE
Then I start my snort inline as
snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
=20
I see my icmp and udp packets get through but not none of my tcp sessions(I=
=20
tried web and ssh) are intiated. I don't even see SYN packets
=20
I have used the sample snort_inline config file available with the distribu=
tion=20
with some changes to turning on preprocessors
=20
What am I missing ?
=20
thanks=20
Swami
--=20
|
|
From: Will M. <wil...@gm...> - 2004-10-13 02:11:59
|
What does your snort_inline.conf look like? It sounds like you might
be using forceiptstate without using marks in iptables to track state.
Really can't say without seeing your snort_inline.conf and how your
snort_inline box sits in relation to the rest of your network.
iptables -t mangle -A FORWARD -p tcp --syn -m state --state
NEW -j MARK --set-mark 1
iptables -t mangle -A FORWARD -p tcp -m state --state
ESTABLISHED -j MARK --set-mark 2
iptables -A FORWARD -j QUEUE
Regards,
Will
On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan
<ssr...@cs...> wrote:
> hi all
> I am new to snort-inline or even snort. I have been trying to get snort
> inline(version 2.2.0 build 30) work on my machine for a very basic setup.
> I wanted all the packets in and out of my machine to go through snort
>
> so I setup my iptables with these 2 rules (only these 2 rules)
> iptables -A INPUT -j QUEUE
> iptables -A OUTPUT -j QUEUE
>
> Then I start my snort inline as
> snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort
>
> I see my icmp and udp packets get through but not none of my tcp sessions(I
> tried web and ssh) are intiated. I don't even see SYN packets
>
> I have used the sample snort_inline config file available with the distribution
> with some changes to turning on preprocessors
>
> What am I missing ?
>
> thanks
> Swami
>
> --
>
>
>
|
|
From: Swaminathan S. <ssr...@cs...> - 2004-10-13 17:04:25
Attachments:
snort_inline.conf
ipt
|
Hi thanks for the reply. I am not using forceiptstate. As far as the network config goes I have my machine with one network interface connected to the internet. I am running snort_inline so that all the packets in and out of my machine are inspected by it. This is a basic config I wanted to test first before I used it as an IPS for a network. I am attaching my config file with the mail. It is mostly an unedited version of sample config file that came with the snort-inline distribution. thanks Swami On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote: > What does your snort_inline.conf look like? It sounds like you might > be using forceiptstate without using marks in iptables to track state. > Really can't say without seeing your snort_inline.conf and how your > snort_inline box sits in relation to the rest of your network. > > iptables -t mangle -A FORWARD -p tcp --syn -m state --state > NEW -j MARK --set-mark 1 > iptables -t mangle -A FORWARD -p tcp -m state --state > ESTABLISHED -j MARK --set-mark 2 > iptables -A FORWARD -j QUEUE > > Regards, > > Will > > > On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan > <ssr...@cs...> wrote: > > hi all > > I am new to snort-inline or even snort. I have been trying to get snort > > inline(version 2.2.0 build 30) work on my machine for a very basic setup. > > I wanted all the packets in and out of my machine to go through snort > > > > so I setup my iptables with these 2 rules (only these 2 rules) > > iptables -A INPUT -j QUEUE > > iptables -A OUTPUT -j QUEUE > > > > Then I start my snort inline as > > snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort > > > > I see my icmp and udp packets get through but not none of my tcp sessions(I > > tried web and ssh) are intiated. I don't even see SYN packets > > > > I have used the sample snort_inline config file available with the distribution > > with some changes to turning on preprocessors > > > > What am I missing ? > > > > thanks > > Swami > > > > -- > > > > > > -- |
|
From: Swaminathan S. <ssr...@cs...> - 2004-10-13 17:24:35
|
Hi again I also wanted to mention the snort-inline does see these packets. I checked by running snort inline as=20 snort_inline -Qvc /etc/snort-inline/snort_inline.conf=20 But its just that the packets son't seem to pass through it. I don't see any alerts either. I tried to ssh to test this configuration thanks=20 Swami On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote: > What does your snort_inline.conf look like? It sounds like you might > be using forceiptstate without using marks in iptables to track state. > Really can't say without seeing your snort_inline.conf and how your > snort_inline box sits in relation to the rest of your network. >=20 > iptables -t mangle -A FORWARD -p tcp --syn -m state --state > NEW -j MARK --set-mark 1 > iptables -t mangle -A FORWARD -p tcp -m state --state > ESTABLISHED -j MARK --set-mark 2 > iptables -A FORWARD -j QUEUE >=20 > Regards, >=20 > Will >=20 >=20 > On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan > <ssr...@cs...> wrote: > > hi all > > I am new to snort-inline or even snort. I have been trying to get snort > > inline(version 2.2.0 build 30) work on my machine for a very basic setu= p. > > I wanted all the packets in and out of my machine to go through snort > >=20 > > so I setup my iptables with these 2 rules (only these 2 rules) > > iptables -A INPUT -j QUEUE > > iptables -A OUTPUT -j QUEUE > >=20 > > Then I start my snort inline as > > snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/sno= rt > >=20 > > I see my icmp and udp packets get through but not none of my tcp sessio= ns(I > > tried web and ssh) are intiated. I don't even see SYN packets > >=20 > > I have used the sample snort_inline config file available with the dist= ribution > > with some changes to turning on preprocessors > >=20 > > What am I missing ? > >=20 > > thanks > > Swami > >=20 > > -- > >=20 > >=20 > > >=20 >=20 > ------------------------------------------------------- > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal > Use IT products in your business? Tell us what you think of them. Give us > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out mo= re > http://productguide.itmanagersjournal.com/guidepromo.tmpl > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users --=20 |
|
From: Justin A. <JA...@ua...> - 2004-10-13 17:30:50
|
On Tue, 2004-10-12 at 19:55, Swaminathan Srinivasan wrote: > hi all > I am new to snort-inline or even snort. I have been trying to get snort > inline(version 2.2.0 build 30) work on my machine for a very basic > setup. > I wanted all the packets in and out of my machine to go through snort > > so I setup my iptables with these 2 rules (only these 2 rules) > iptables -A INPUT -j QUEUE > iptables -A OUTPUT -j QUEUE try iptables -L -n -v, you should see the counters on the QUEUE rule increasing with each packet. my guess is that you wanted iptables -A FORWARD -j QUEUE rather than the 2 above > Then I start my snort inline as > snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l > /var/log/snort > > I see my icmp and udp packets get through but not none of my tcp > sessions(I > tried web and ssh) are intiated. I don't even see SYN packets > > I have used the sample snort_inline config file available with the > distribution > with some changes to turning on preprocessors > > What am I missing ? > > > thanks > Swami -- -- Justin Azoff -- Network Performance Analyst |
|
From: Swaminathan S. <ssr...@cs...> - 2004-10-14 18:51:40
Attachments:
snort_inline.conf
|
Hi So I tested my setup again. First let me describe the setup. 1. I have snort-inline running on my machine looking at packets in and out of the machine. The machine does not forward any packets. 2. I setup iptables to queue all packets in and out the machine iptables -A INPUT -j QUEUE iptables -A OUTPUT -j QUEUE 3. I start snort inline as follows snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort 4. snort_inline starts up without complaining So now when I try to ssh to a host in my network I see snort giving information on the SYN packet but tcpdump does not see the packet so I assume the packet is getting dropped. But I do not get any alerts either. At the same time DNS requests are also queued but those get through and so do icmp packets. (btw I am assuming all the alerts including from dropped packets can be seen in /var/log/snort/alerts am I wrong ?) I made some changes to snort_inline.conf file and I am sending it again. Any suggestions on what am I doing wrong ? thanks Swami On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote: > What does your snort_inline.conf look like? It sounds like you might > be using forceiptstate without using marks in iptables to track state. > Really can't say without seeing your snort_inline.conf and how your > snort_inline box sits in relation to the rest of your network. > > iptables -t mangle -A FORWARD -p tcp --syn -m state --state > NEW -j MARK --set-mark 1 > iptables -t mangle -A FORWARD -p tcp -m state --state > ESTABLISHED -j MARK --set-mark 2 > iptables -A FORWARD -j QUEUE > > Regards, > > Will > > > On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan > <ssr...@cs...> wrote: > > hi all > > I am new to snort-inline or even snort. I have been trying to get snort > > inline(version 2.2.0 build 30) work on my machine for a very basic setup. > > I wanted all the packets in and out of my machine to go through snort > > > > so I setup my iptables with these 2 rules (only these 2 rules) > > iptables -A INPUT -j QUEUE > > iptables -A OUTPUT -j QUEUE > > > > Then I start my snort inline as > > snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort > > > > I see my icmp and udp packets get through but not none of my tcp sessions(I > > tried web and ssh) are intiated. I don't even see SYN packets > > > > I have used the sample snort_inline config file available with the distribution > > with some changes to turning on preprocessors > > > > What am I missing ? > > > > thanks > > Swami > > > > -- > > > > > > -- |
|
From: Will M. <wil...@gm...> - 2004-10-14 21:26:36
|
I haven't forgotten about you, I've just been super busy. I'll look over the files you have sent this evening. Sorry it has taken so long for me to get back to you. Regards, Will On Thu, 14 Oct 2004 14:51:24 -0400, Swaminathan Srinivasan <ssr...@cs...> wrote: > Hi > > So I tested my setup again. First let me describe the setup. > > 1. I have snort-inline running on my machine looking at packets in and out > of the machine. The machine does not forward any packets. > 2. I setup iptables to queue all packets in and out the machine > iptables -A INPUT -j QUEUE > iptables -A OUTPUT -j QUEUE > 3. I start snort inline as follows > snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort > 4. snort_inline starts up without complaining > > So now when I try to ssh to a host in my network I see snort giving > information on the SYN packet but tcpdump does not see the packet so I > assume the packet is getting dropped. But I do not get any alerts either. > At the same time DNS requests are also queued but those get through and so > do icmp packets. > (btw I am assuming all the alerts including from dropped packets can be seen > in /var/log/snort/alerts am I wrong ?) > I made some changes to snort_inline.conf file and I am sending it again. > > Any suggestions on what am I doing wrong ? > > > > thanks > Swami > > On Tue, Oct 12, 2004 at 09:11:52PM -0500, Will Metcalf wrote: > > What does your snort_inline.conf look like? It sounds like you might > > be using forceiptstate without using marks in iptables to track state. > > Really can't say without seeing your snort_inline.conf and how your > > snort_inline box sits in relation to the rest of your network. > > > > iptables -t mangle -A FORWARD -p tcp --syn -m state --state > > NEW -j MARK --set-mark 1 > > iptables -t mangle -A FORWARD -p tcp -m state --state > > ESTABLISHED -j MARK --set-mark 2 > > iptables -A FORWARD -j QUEUE > > > > Regards, > > > > Will > > > > > > On Tue, 12 Oct 2004 19:55:54 -0400, Swaminathan Srinivasan > > <ssr...@cs...> wrote: > > > hi all > > > I am new to snort-inline or even snort. I have been trying to get snort > > > inline(version 2.2.0 build 30) work on my machine for a very basic setup. > > > I wanted all the packets in and out of my machine to go through snort > > > > > > so I setup my iptables with these 2 rules (only these 2 rules) > > > iptables -A INPUT -j QUEUE > > > iptables -A OUTPUT -j QUEUE > > > > > > Then I start my snort inline as > > > snort_inline -Qvc /etc/snort-inline/snort_inline.conf -l /var/log/snort > > > > > > I see my icmp and udp packets get through but not none of my tcp sessions(I > > > tried web and ssh) are intiated. I don't even see SYN packets > > > > > > I have used the sample snort_inline config file available with the distribution > > > with some changes to turning on preprocessors > > > > > > What am I missing ? > > > > > > thanks > > > Swami > > > > > > -- > > > > > > > > > > > -- > > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X