snort-users February 2010 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Unable to run Snort in IPS mode

Re: [Snort-users] Unable to run Snort in IPS mode

From: Sharma, Ashish <ashish.sharma3_at_nospam>
Date: Tue Feb 23 2010 - 14:29:49 GMT
To: Nigel Houghton <nhoughton@sourcefire.com>


Nigel,

No success :(

My machine is Fedora Core 10 virtual machine, running on sun virtual Box.

My rules in 'local.rules' are as:

'drop tcp any any -> 16.150.17.4 80 (msg: "Test web activity";sid:1000001;) drop icmp any any -> 16.150.17.4 any (msg: "Test ping activity";sid:1000002;)'

I am running 'snort' by this command:

'snort -k none -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l /var/log/snort'

Console output is as: ' 02/23-19:57:13.288720 [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:13530 -> 16.150.17.4:80 02/23-19:57:13.288812 [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:13402 -> 16.150.17.4:80 02/23-19:57:47.034571 [Drop] [**] [1:1000002:0] Test ping activity [**] [Priority: 0] {ICMP} 16.150.18.130 -> 16.150.17.4'

Put packets are not getting dropped and replies to above request are being received successfully. This should not happen :( right.

With regards
Ashish Sharma

-----Original Message-----
From: Nigel Houghton [mailto:nhoughton@sourcefire.com] Sent: Tuesday, February 23, 2010 7:00 PM To: Sharma, Ashish
Cc: Snort Users List
Subject: Re: [Snort-users] Unable to run Snort in IPS mode

On Tue, Feb 23, 2010 at 2:15 AM, Sharma, Ashish <ashish.sharma3@hp.com> wrote:
> Nigel,
>
> No success with your suggested idea.
>
> Attached is my 'local.rules' file.
>
> My uncommented rule is as:
> 'drop tcp any any -> 16.150.17.4 80 (msg: "Test web activity";sid:1000001;)'
>
> I launch my 'snort' with the following command:
>
> 'snort -A console -Q -c /etc/snortIDSMode/snort.conf -i eth1 -l /var/log/snort'
>
> Now whenever I try to access a web page hosted on a web server on the same machine (on which snort is hosted), I get following kind of console output:
>
> ' 02/23-12:28:04.537751 [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80
> 02/23-12:28:04.538713 [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80
> 02/23-12:28:04.935699 [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80
> 02/23-12:28:05.263633 [Drop] [**] [1:1000001:0] Test web activity [**] [Priority: 0] {TCP} 16.213.0.37:5763 -> 16.150.17.4:80'
>
> Here I am able to access my web page from any other foreign machine, but this should not happen with 'Drop' rule of this kind , I should not be able to access my web page in first place when snort is running in 'inline' mode.
>
> Moreover I had to comment other 'reject' and 'sdrop' rules since 'snort' fails to identify them (Please look into my first message for console output for this error).
>
> Thanks
> Ashish Sharma
>
>
> -----Original Message-----
> From: Nigel Houghton [mailto:nhoughton@sourcefire.com]
> Sent: Monday, February 22, 2010 9:16 PM
> To: Sharma, Ashish
> Cc: Snort Users List
> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>
> On Mon, Feb 22, 2010 at 9:22 AM, Sharma, Ashish <ashish.sharma3@hp.com> wrote:
>> Nigel,
>>
>> One of my drop rules in 'local.rules' is of following type:
>> 'drop icmp any any -> xxx.xxx.xxx.xxx any (msg: "Test ping activity";sid:1000002;)'
>>
>> Here my intention is to drop any packet that is received for ICMP ping activity, but actually when I run my 'snort',
>> And 'Ping' on the destination machine only alerts are logged and I receive the response of my 'Ping' command too.
>>
>> But I expect this should not happen with 'drop' rule, no response should be received for this case.
>>
>> Thanks
>> Ashish Sharma
>>
>> -----Original Message-----
>> From: Nigel Houghton [mailto:nhoughton@sourcefire.com]
>> Sent: Monday, February 22, 2010 7:42 PM
>> To: Sharma, Ashish
>> Cc: Snort Users List
>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>>
>> On Mon, Feb 22, 2010 at 8:37 AM, Sharma, Ashish <ashish.sharma3@hp.com> wrote:
>>> Rmkml,
>>>
>>> Please find attached my 'local.rules' file.
>>>
>>> Thanks
>>> Ashish Sharma
>>>
>>> -----Original Message-----
>>> From: rmkml [mailto:rmkml@free.fr]
>>> Sent: Monday, February 22, 2010 6:49 PM
>>> To: Sharma, Ashish
>>> Cc: rmkml@free.fr
>>> Subject: RE: [Snort-users] Unable to run Snort in IPS mode
>>>
>>> ok thx you Sharma,
>>> could you send local.rules please?
>>> Regards
>>> Rmkml
>>>
>>>
>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>>>
>>>> Rmkml,
>>>>
>>>> First of all thanks for helping.
>>>>
>>>> I don't think there is any problem with command formatting or 'RULE_PATH' variable error.
>>>>
>>>> Reason being that when I comment out the 'reject' and 'sdrop' rules from 'local.rules' file and only 'drop' rules are there, then 'Snort' is able to run fine and alerts are generated and logged.
>>>>
>>>> For your reference my 'Snort.conf' is attached.
>>>>
>>>> Thanks for helping again.
>>>>
>>>> Ashish Sharma
>>>>
>>>> -----Original Message-----
>>>> From: rmkml [mailto:rmkml@free.fr]
>>>> Sent: Monday, February 22, 2010 5:15 PM
>>>> To: Sharma, Ashish
>>>> Cc: rmkml@free.fr
>>>> Subject: Re: [Snort-users] Unable to run Snort in IPS mode
>>>>
>>>> Hi Sharma,
>>>> you start snort with cmd line:
>>>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>>>> please remove space like ... -c /etc/snort/snort.conf ...
>>>> on your snort.conf, what is RULE_PATH variable contains please? or send
>>>> snort.conf...
>>>> Regards
>>>> Rmkml
>>>>
>>>>
>>>> On Mon, 22 Feb 2010, Sharma, Ashish wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have a fedora core 10 virtual machine running on a sun virtual box.
>>>>>
>>>>> I am trying to run Snort on this machine in IPS mode.
>>>>>
>>>>> I followed the following steps (I had already installed the prerequisites for Snort IPS):
>>>>>
>>>>> 1. Downloaded 'snort-2.8.5.2.tar.gz'
>>>>> 2. Extracted the binaries.
>>>>> 3. did './configure --enable-inline'
>>>>> 4. did 'make'
>>>>> 5. did 'make install'
>>>>> 6. copied snort rules and snort conf at appropriate location.
>>>>> 7. executed the following command :
>>>>> 'snort -A console -Q -c /etc/snort /snort.conf -i eth1 -l /var/log/snort'
>>>>> 8. Snort launches with the traces :
>>>>>
>>>>> Enabling inline operation
>>>>> Running in IDS mode
>>>>>
>>>>> --== Initializing Snort ==--
>>>>> Initializing Output Plugins!
>>>>> Initializing Preprocessors!
>>>>> ..................................
>>>>>
>>>>> Initializing rule chains...
>>>>> ERROR: /etc/snortIDSMode/rules /local.rules(10 ) Unknown rule type: reject.
>>>>> Fatal Error, Quitting..
>>>>>
>>>>> 8. As you can see I have a test rule in local.rule that have a 'reject' rule in it but snort is not accepting it, same is the case for 'sdrop' rule also.
>>>>>
>>>>> 9. What is the problem , please help!!!!!
>>>>>
>>>>> What should I do in all to let my Snort run in IPS mode
>>>>>
>>>>> Thanks in advance
>>>>>
>>>>> Ashish Sharma
>>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download Intel&#174; Parallel Studio Eval
>>> Try the new software tools for yourself. Speed compiling, find bugs
>>> proactively, and fine-tune applications for parallel performance.
>>> See why Intel Parallel Studio got high marks during beta.
>>> http://p.sf.net/sfu/intel-sw-dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users@lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>> You have compiled Snort with --enable-inline. Your snort.conf looks
>> fine. The rules you have need to use the "drop" keyword instead of
>> "alert" so that they will drop the traffic in inline mode.
>>
>> So your two rules would become:
>>
>> drop tcp any any -> 16.150.17.4 25 (msg: "Test activity"; sid:1000003;)
>> drop tcp any any -> 16.150.17.4 3310 (msg: "Test activity"; sid:1000004;)
>>
>> --
>> Nigel Houghton
>> Head Mentalist
>> SF VRT
>> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
>>
>
>
> Your drop rule is commented out, so it is not active. Please try what
> I told you to try and report back. Thanks.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://labs.snort.org/
>

Now we are getting somewhere. Since your snort installation is on the same machine you are sending packets to, try adding the "-k none" option to the command line. See if that fixes your problem and report back. -- Nigel Houghton Head Mentalist SF VRT http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ ------------------------------------------------------------------------------ Download Intel&#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users