Menu
▾
▴
snort-inline-users
|
From: joe z <sec...@ho...> - 2005-03-09 03:43:26
|
i have snort 2.3, compiled with --enable-inline, on a box behind a firewall, inline, to scan traffic. two questions. al ittle history first... when i enable transparent proxy (iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 ) by itself, it works. just as a router, good. when i comment out the tp and uncomment ( iptables -t mangle -A PREROUTING -j QUEUE ) -without snort, it doesn't work(i.e no traffic passes); with snort running (snort -D -Q -c /etc/snort/rules ) it works but doesn't drop anything. ip_queue is loaded. i need advice on A. a rule to test the inline drop functionality and/or advice on proper config.; B.how to run inline and tranparent proxy; i tried: drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Malware 180solutions Spyware"; uricontent:"180solutions.com"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; flow:to_server,established; sid:2001051; rev:3;) and browsed to http://180solutions.com from an internal host. obviously fruitlously. is that the wrong way to write a drop rule or did i configure wrong? either way, a simple test drop rule would be much appreciated... _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ |
|
From: Dale L. H. P.E. <dh...@ni...> - 2005-03-09 16:07:47
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The "180solutions.com" is not part of the uricontent. It is actually part of the URL (there is a difference). Therefore, it will fail the test. As an example of this sort of thing, go look at the actual rules at Bleeding Snort. You will see that there are content searches for the host, and other specific uricontent searches for the actual page requests and/or dynamic content requests: http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/MALWARE/MALWARE_180Solutions And, for perhaps more information than you really wanted to know, you can look at the rfc that explains this far better than I can: ~ http://www.w3.org/Protocols/rfc2616/rfc2616.html I hope this helps. joe z wrote: | i have snort 2.3, compiled with --enable-inline, on a box behind a | firewall, inline, to scan traffic. two questions. al ittle history | first... when i enable transparent proxy (iptables -t nat -A | PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 ) by | itself, it works. just as a router, good. when i comment out the tp | and uncomment ( iptables -t mangle -A PREROUTING -j QUEUE ) | -without snort, it doesn't work(i.e no traffic passes); with snort | running (snort -D -Q -c /etc/snort/rules ) it works but doesn't | drop anything. ip_queue is loaded. i need advice on A. a rule to | test the inline drop functionality and/or advice on proper config.; | B.how to run inline and tranparent proxy; i tried: | | drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS | (msg:"BLEEDING-EDGE Malware 180solutions Spyware"; | uricontent:"180solutions.com"; nocase; classtype:trojan-activity; | reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; | flow:to_server,established; sid:2001051; rev:3;) | | and browsed to http://180solutions.com from an internal host. | obviously fruitlously. is that the wrong way to write a drop rule | or did i configure wrong? either way, a simple test drop rule would | be much appreciated... | | _________________________________________________________________ | Express yourself instantly with MSN Messenger! Download today - | it's FREE! | http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ | | | | ------------------------------------------------------- SF email is | sponsored by - The IT Product Guide Read honest & candid reviews on | hundreds of IT Products from real users. Discover which products | truly live up to the hype. Start reading now. | http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click | _______________________________________________ Snort-inline-users | mailing list Sno...@li... | https://lists.sourceforge.net/lists/listinfo/snort-inline-users | | - -- Dyslexics have more fnu. - -- Dale L. Handy, P.E. ~ dh...@ni... ~ http://www.nitrosecuity.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFCLx9DJkJUIoExvsURAladAJwKVtZh1kLfUe6IP2LHn2vHq+r88wCeKr6z gl51LdP+F1smJvtvfq6IYT8= =jmJl -----END PGP SIGNATURE----- |
|
From: Will M. <wil...@gm...> - 2005-03-12 21:51:54
|
B.how to run inline and tranparent proxy, I'm assuming that you are running the proxy on the same box you are running snort-inline on. Try the following, I can't promise anything as I don't have box running NAT mode right now. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp --dport 8080 -j QUEUE iptables -A OUTPUT -p tcp --sport 8080 -j QUEUE snort_inline.conf config checksum_mode:none On Tue, 08 Mar 2005 22:43:18 -0500, joe z <sec...@ho...> wrote: > i have snort 2.3, compiled with --enable-inline, on a box behind a firewall, > inline, to scan traffic. two questions. al ittle history first... when i > enable transparent proxy (iptables -t nat -A PREROUTING -p tcp --dport 80 -j > REDIRECT --to-port 8080 ) by itself, it works. just as a router, good. when > i comment out the tp and uncomment ( iptables -t mangle -A PREROUTING -j > QUEUE ) -without snort, it doesn't work(i.e no traffic passes); with snort > running (snort -D -Q -c /etc/snort/rules ) it works but doesn't drop > anything. ip_queue is loaded. i need advice on A. a rule to test the inline > drop functionality and/or advice on proper config.; B.how to run inline and > tranparent proxy; i tried: > > drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE > Malware 180solutions Spyware"; uricontent:"180solutions.com"; nocase; > classtype:trojan-activity; > reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; > flow:to_server,established; sid:2001051; rev:3;) > > and browsed to http://180solutions.com from an internal host. obviously > fruitlously. is that the wrong way to write a drop rule or did i configure > wrong? either way, a simple test drop rule would be much appreciated... > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today - it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X