Menu
▾
▴
snort-inline-users
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-12 20:25:42
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm setting up/testing snort inline like so... PC ---x----(snort_inline)--------network (yes that's a x-over cable) Bridging seems to work. Output from 'snort -Qvc <configuration file>' shows headers so iptables should be sending traffic to the QUEUE and snort should be seeing it. 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 I'm just using a simple iptables script for testing... $IPTABLES -F $IPTABLES -X $IPTABLES -P FORWARD ACCEPT $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT $IPTABLES -N ssh-allowed-in $IPTABLES -F ssh-allowed-in $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -N ssh-allowed-out $IPTABLES -F ssh-allowed-out $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state - --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -j ssh-allowed-in $IPTABLES -A FORWARD -j QUEUE $IPTABLES -A OUTPUT -j ssh-allowed-out And in my snort.conf I'm just using any/any right now... var HOME_NET any var EXTERNAL_NET any And I'm NOT loading any rules. I thought if I did not load any rules traffic would enter the FORWARD chain and be sent to QUEUE. Since no rules are loaded nothing should be dropping packets and the traffic should be allowed out. I must be missing something though, because no traffic is getting through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the iptables script it works (obviously). To my untrained eye it looks like the traffic is getting stuck (for the lack of a better word) in QUEUE. What am i missing? Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCg7ufpmEqH5sLlmsRAmJAAJ9KtjylLX+Vmi6d6cfkzbA+ZBA0QQCeL7vL FIGsFSbBgw4WK6U/SroKmqo= =1+kE -----END PGP SIGNATURE----- |
|
From: Will M. <wil...@gm...> - 2005-05-12 22:21:05
|
>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 if you are bridiging traffic, this should be set to 0. what are you passing to snort on the command line? Regards, Will On 5/12/05, Norwich University - Information Security <in...@no...> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hi, >=20 > I'm setting up/testing snort inline like so... >=20 > PC ---x----(snort_inline)--------network >=20 > (yes that's a x-over cable) >=20 > Bridging seems to work. Output from 'snort -Qvc <configuration file>' > shows headers so iptables should be sending traffic to the QUEUE and > snort should be seeing it. >=20 > 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 >=20 > I'm just using a simple iptables script for testing... >=20 > $IPTABLES -F > $IPTABLES -X > $IPTABLES -P FORWARD ACCEPT > $IPTABLES -P INPUT ACCEPT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT >=20 > $IPTABLES -N ssh-allowed-in > $IPTABLES -F ssh-allowed-in > $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state > - --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state > - --state NEW,ESTABLISHED -j ACCEPT >=20 > $IPTABLES -N ssh-allowed-out > $IPTABLES -F ssh-allowed-out > $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state > - --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state > - --state NEW,ESTABLISHED -j ACCEPT >=20 > $IPTABLES -A INPUT -j ssh-allowed-in > $IPTABLES -A FORWARD -j QUEUE > $IPTABLES -A OUTPUT -j ssh-allowed-out >=20 > And in my snort.conf I'm just using any/any right now... >=20 > var HOME_NET any > var EXTERNAL_NET any >=20 > And I'm NOT loading any rules. >=20 > I thought if I did not load any rules traffic would enter the FORWARD > chain and be sent to QUEUE. Since no rules are loaded nothing should be > dropping packets and the traffic should be allowed out. >=20 > I must be missing something though, because no traffic is getting > through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the > iptables script it works (obviously). To my untrained eye it looks like > the traffic is getting stuck (for the lack of a better word) in QUEUE. >=20 > What am i missing? >=20 > Jason >=20 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) >=20 > iD8DBQFCg7ufpmEqH5sLlmsRAmJAAJ9KtjylLX+Vmi6d6cfkzbA+ZBA0QQCeL7vL > FIGsFSbBgw4WK6U/SroKmqo=3D > =3D1+kE > -----END PGP SIGNATURE----- >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-13 15:16:16
|
I'm starting snort with... snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline Will Metcalf wrote: >>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > > if you are bridiging traffic, this should be set to 0. > > what are you passing to snort on the command line? > > Regards, > > Will > > On 5/12/05, Norwich University - Information Security > <in...@no...> wrote: > > Hi, > > I'm setting up/testing snort inline like so... > > PC ---x----(snort_inline)--------network > > (yes that's a x-over cable) > > Bridging seems to work. Output from 'snort -Qvc <configuration file>' > shows headers so iptables should be sending traffic to the QUEUE and > snort should be seeing it. > > 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > I'm just using a simple iptables script for testing... > > $IPTABLES -F > $IPTABLES -X > $IPTABLES -P FORWARD ACCEPT > $IPTABLES -P INPUT ACCEPT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT > > $IPTABLES -N ssh-allowed-in > $IPTABLES -F ssh-allowed-in > $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -N ssh-allowed-out > $IPTABLES -F ssh-allowed-out > $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A INPUT -j ssh-allowed-in > $IPTABLES -A FORWARD -j QUEUE > $IPTABLES -A OUTPUT -j ssh-allowed-out > > And in my snort.conf I'm just using any/any right now... > > var HOME_NET any > var EXTERNAL_NET any > > And I'm NOT loading any rules. > > I thought if I did not load any rules traffic would enter the FORWARD > chain and be sent to QUEUE. Since no rules are loaded nothing should be > dropping packets and the traffic should be allowed out. > > I must be missing something though, because no traffic is getting > through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the > iptables script it works (obviously). To my untrained eye it looks like > the traffic is getting stuck (for the lack of a better word) in QUEUE. > > What am i missing? > > Jason > ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Will M. <wil...@gm...> - 2005-05-13 15:25:31
|
Are you using the 2.4.x series of kernel or 2.6.x? Regards, Will On 5/13/05, Norwich University - Information Security <in...@no...> wrote: >=20 >=20 > I'm starting snort with... >=20 > snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline >=20 >=20 > Will Metcalf wrote: > >>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > > > > > if you are bridiging traffic, this should be set to 0. > > > > what are you passing to snort on the command line? > > > > Regards, > > > > Will > > > > On 5/12/05, Norwich University - Information Security > > <in...@no...> wrote: > > > > Hi, > > > > I'm setting up/testing snort inline like so... > > > > PC ---x----(snort_inline)--------network > > > > (yes that's a x-over cable) > > > > Bridging seems to work. Output from 'snort -Qvc <configuration file>' > > shows headers so iptables should be sending traffic to the QUEUE and > > snort should be seeing it. > > > > 'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > > > > I'm just using a simple iptables script for testing... > > > > $IPTABLES -F > > $IPTABLES -X > > $IPTABLES -P FORWARD ACCEPT > > $IPTABLES -P INPUT ACCEPT > > $IPTABLES -P OUTPUT ACCEPT > > $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > > $IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT > > > > $IPTABLES -N ssh-allowed-in > > $IPTABLES -F ssh-allowed-in > > $IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > > > $IPTABLES -N ssh-allowed-out > > $IPTABLES -F ssh-allowed-out > > $IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > $IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m stat= e > > --state NEW,ESTABLISHED -j ACCEPT > > > > $IPTABLES -A INPUT -j ssh-allowed-in > > $IPTABLES -A FORWARD -j QUEUE > > $IPTABLES -A OUTPUT -j ssh-allowed-out > > > > And in my snort.conf I'm just using any/any right now... > > > > var HOME_NET any > > var EXTERNAL_NET any > > > > And I'm NOT loading any rules. > > > > I thought if I did not load any rules traffic would enter the FORWARD > > chain and be sent to QUEUE. Since no rules are loaded nothing should be > > dropping packets and the traffic should be allowed out. > > > > I must be missing something though, because no traffic is getting > > through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from th= e > > iptables script it works (obviously). To my untrained eye it looks like > > the traffic is getting stuck (for the lack of a better word) in QUEUE. > > > > What am i missing? > > > > Jason > > >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
|
From: Norwich U. - I. S. <in...@no...> - 2005-05-13 15:32:48
|
2.6.x Will Metcalf wrote: > Are you using the 2.4.x series of kernel or 2.6.x? > > Regards, > > Will > > On 5/13/05, Norwich University - Information Security > <in...@no...> wrote: > >> >>I'm starting snort with... >> >>snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline >> >> >>Will Metcalf wrote: >> >>>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 >>> >>> >>>if you are bridiging traffic, this should be set to 0. >>> >>>what are you passing to snort on the command line? >>> >>>Regards, >>> >>>Will >>> >>>On 5/12/05, Norwich University - Information Security >>><in...@no...> wrote: >>> >>>Hi, >>> >>>I'm setting up/testing snort inline like so... >>> >>>PC ---x----(snort_inline)--------network >>> >>>(yes that's a x-over cable) >>> >>>Bridging seems to work. Output from 'snort -Qvc <configuration file>' >>>shows headers so iptables should be sending traffic to the QUEUE and >>>snort should be seeing it. >>> >>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 >>> >>>I'm just using a simple iptables script for testing... >>> >>>$IPTABLES -F >>>$IPTABLES -X >>>$IPTABLES -P FORWARD ACCEPT >>>$IPTABLES -P INPUT ACCEPT >>>$IPTABLES -P OUTPUT ACCEPT >>>$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT >>>$IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT >>> >>>$IPTABLES -N ssh-allowed-in >>>$IPTABLES -F ssh-allowed-in >>>$IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>>$IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>> >>>$IPTABLES -N ssh-allowed-out >>>$IPTABLES -F ssh-allowed-out >>>$IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>>$IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m state >>>--state NEW,ESTABLISHED -j ACCEPT >>> >>>$IPTABLES -A INPUT -j ssh-allowed-in >>>$IPTABLES -A FORWARD -j QUEUE >>>$IPTABLES -A OUTPUT -j ssh-allowed-out >>> >>>And in my snort.conf I'm just using any/any right now... >>> >>>var HOME_NET any >>>var EXTERNAL_NET any >>> >>>And I'm NOT loading any rules. >>> >>>I thought if I did not load any rules traffic would enter the FORWARD >>>chain and be sent to QUEUE. Since no rules are loaded nothing should be >>>dropping packets and the traffic should be allowed out. >>> >>>I must be missing something though, because no traffic is getting >>>through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from the >>>iptables script it works (obviously). To my untrained eye it looks like >>>the traffic is getting stuck (for the lack of a better word) in QUEUE. >>> >>>What am i missing? >>> >>>Jason >>> >> >>------------------------------------------------------- >>This SF.Net email is sponsored by Oracle Space Sweepstakes >>Want to be the first software developer in space? >>Enter now for the Oracle Space Sweepstakes! >>http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> >>------------------------------------------------------- >>This SF.Net email is sponsored by Oracle Space Sweepstakes >>Want to be the first software developer in space? >>Enter now for the Oracle Space Sweepstakes! >>http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click >>_______________________________________________ >>Snort-inline-users mailing list >>Sno...@li... >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users >> |
|
From: Will M. <wil...@gm...> - 2005-05-13 15:41:58
|
And you are running in bridge mode and not NAT mode? If you start snort with -v instead of -D do you see any traffic? Regards, Will On 5/13/05, Norwich University - Information Security <in...@no...> wrote: > 2.6.x >=20 > Will Metcalf wrote: > > Are you using the 2.4.x series of kernel or 2.6.x? > > > > Regards, > > > > Will > > > > On 5/13/05, Norwich University - Information Security > > <in...@no...> wrote: > > > >> > >>I'm starting snort with... > >> > >>snort -QD -c /etc/snort/snort.conf -l /var/log/snort_inline > >> > >> > >>Will Metcalf wrote: > >> > >>>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > >>> > >>> > >>>if you are bridiging traffic, this should be set to 0. > >>> > >>>what are you passing to snort on the command line? > >>> > >>>Regards, > >>> > >>>Will > >>> > >>>On 5/12/05, Norwich University - Information Security > >>><in...@no...> wrote: > >>> > >>>Hi, > >>> > >>>I'm setting up/testing snort inline like so... > >>> > >>>PC ---x----(snort_inline)--------network > >>> > >>>(yes that's a x-over cable) > >>> > >>>Bridging seems to work. Output from 'snort -Qvc <configuration file>' > >>>shows headers so iptables should be sending traffic to the QUEUE and > >>>snort should be seeing it. > >>> > >>>'cat /proc/sys/net/ipv4/ip_forward' shows a 1 > >>> > >>>I'm just using a simple iptables script for testing... > >>> > >>>$IPTABLES -F > >>>$IPTABLES -X > >>>$IPTABLES -P FORWARD ACCEPT > >>>$IPTABLES -P INPUT ACCEPT > >>>$IPTABLES -P OUTPUT ACCEPT > >>>$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT > >>>$IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT > >>> > >>>$IPTABLES -N ssh-allowed-in > >>>$IPTABLES -F ssh-allowed-in > >>>$IPTABLES -A ssh-allowed-in --proto tcp --destination-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>>$IPTABLES -A ssh-allowed-in --proto tcp --source-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>> > >>>$IPTABLES -N ssh-allowed-out > >>>$IPTABLES -F ssh-allowed-out > >>>$IPTABLES -A ssh-allowed-out --proto tcp --destination-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>>$IPTABLES -A ssh-allowed-out --proto tcp --source-port ssh -m sta= te > >>>--state NEW,ESTABLISHED -j ACCEPT > >>> > >>>$IPTABLES -A INPUT -j ssh-allowed-in > >>>$IPTABLES -A FORWARD -j QUEUE > >>>$IPTABLES -A OUTPUT -j ssh-allowed-out > >>> > >>>And in my snort.conf I'm just using any/any right now... > >>> > >>>var HOME_NET any > >>>var EXTERNAL_NET any > >>> > >>>And I'm NOT loading any rules. > >>> > >>>I thought if I did not load any rules traffic would enter the FORWARD > >>>chain and be sent to QUEUE. Since no rules are loaded nothing should b= e > >>>dropping packets and the traffic should be allowed out. > >>> > >>>I must be missing something though, because no traffic is getting > >>>through from the PC. If I remove $IPTABLES -A FORWARD -j QUEUE from t= he > >>>iptables script it works (obviously). To my untrained eye it looks lik= e > >>>the traffic is getting stuck (for the lack of a better word) in QUEUE. > >>> > >>>What am i missing? > >>> > >>>Jason > >>> > >> > >>------------------------------------------------------- > >>This SF.Net email is sponsored by Oracle Space Sweepstakes > >>Want to be the first software developer in space? > >>Enter now for the Oracle Space Sweepstakes! > >>http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > >>_______________________________________________ > >>Snort-inline-users mailing list > >>Sno...@li... > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> > >>------------------------------------------------------- > >>This SF.Net email is sponsored by Oracle Space Sweepstakes > >>Want to be the first software developer in space? > >>Enter now for the Oracle Space Sweepstakes! > >>http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > >>_______________________________________________ > >>Snort-inline-users mailing list > >>Sno...@li... > >>https://lists.sourceforge.net/lists/listinfo/snort-inline-users > >> >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X