Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] Snort stateless/asymmetric mode

9 views
Skip to first unread message

Rodolfo Etore

unread,
May 8, 2013, 2:54:18 PM5/8/13
to
Hello all,

Can you please help me with the following situation:

I have two sensors, our network team created a portchannel to connect both sensors on the same network, and now the situation we are facing is this, the traffic comes into one sensor and gets out trough the order sensor, this way snort is not matching any rules, so i would like to check with you if there is an way so we can inspect the traffic in some sort of stateless mode, because it only matches when traffic gets out in the same sensor it got in.


Many thanks for your help.

James Lay

unread,
May 8, 2013, 3:25:04 PM5/8/13
to


By sensor are you meaning a different machine/snort instance/interface?
Could you describe it in a litter more detail?

James

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Rodolfo Etore

unread,
May 8, 2013, 4:16:58 PM5/8/13
to
Hello, thanks for your quickly response here,



2013/5/8 James Lay <jl...@slave-tothe-box.net>

On 2013-05-08 12:54, Rodolfo Etore wrote:
> Hello all,
>
> Can you please help me with the following situation:
>
> I have two sensors, our network team created a portchannel to connect
> both sensors on the same network, and now the situation we are facing
> is this, the traffic comes into one sensor and gets out trough the
> order sensor, this way snort is not matching any rules, so i would
> like to check with you if there is an way so we can inspect the
> traffic in some sort of stateless mode, because it only matches when
> traffic gets out in the same sensor it got in.
>
> Many thanks for your help.


By sensor are you meaning a different machine/snort instance/interface?
Could you describe it in a litter more detail?

A sensor is basically a machine, and each machine has one bridge with one snort instance running. The two machines have the very same configuration.
What happens is that in some situations we have the inbound packets trough one machine and the outbound packets trough the second machine, as mentioned early this way snort signature are not matching. 

James

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



--
Muito obrigado desde já

James Lay

unread,
May 8, 2013, 10:04:34 PM5/8/13
to
I do work with a company that has multiple paths out, so I think I know where you're at.  Solution was/is to have a single machine with multiple nics, have each path's get a spanned port, and then use daq to listen to all the each interface in each path.  Bonus was that one instance of snort handles all external traffic, no matter which path it comes/goes.  Hope that sorta helps.

James

Rodolfo Etore

unread,
May 9, 2013, 11:05:20 AM5/9/13
to



2013/5/8 James Lay <jl...@slave-tothe-box.net>

I do work with a company that has multiple paths out, so I think I know where you're at.  Solution was/is to have a single machine with multiple nics, have each path's get a spanned port, and then use daq to listen to all the each interface in each path.  Bonus was that one instance of snort handles all external traffic, no matter which path it comes/goes.  Hope that sorta helps.

James
 
Hello boss, I do understand your point of view but this won't help us at this point, i would like to know if there's a way i could set snort to match with only fragments of the packet, like only the GET or only the response.

James Lay

unread,
May 9, 2013, 8:42:55 PM5/9/13
to
I do not think Snort will do what you're hoping…I'll defer to smarter folks here.

James

beenph

unread,
May 9, 2013, 8:53:45 PM5/9/13
to
On Thu, May 9, 2013 at 8:42 PM, James Lay <jl...@slave-tothe-box.net> wrote:
>
>>
>
> Hello boss, I do understand your point of view but this won't help us at
> this point, i would like to know if there's a way i could set snort to match
> with only fragments of the packet, like only the GET or only the response.
>
>>

Its possible, but looking at previous e-mails in the thread you might
want to rethink your IDS deployement
before or after routing occurs to balancers.

-elz

Joel Esler

unread,
May 10, 2013, 11:11:15 AM5/10/13
to
Snort needs to see both sides of the conversation in order for it to work right.


On May 9, 2013, at 8:42 PM, James Lay <jl...@slave-tothe-box.net> wrote:

I do not think Snort will do what you're hoping…I'll defer to smarter folks here.

James
On May 9, 2013, at 9:05 AM, Rodolfo Etore <rpon...@gmail.com> wrote:

2013/5/8 James Lay <jl...@slave-tothe-box.net>
I do work with a company that has multiple paths out, so I think I know where you're at.  Solution was/is to have a single machine with multiple nics, have each path's get a spanned port, and then use daq to listen to all the each interface in each path.  Bonus was that one instance of snort handles all external traffic, no matter which path it comes/goes.  Hope that sorta helps.

James
 
Hello boss, I do understand your point of view but this won't help us at this point, i would like to know if there's a way i could set snort to match with only fragments of the packet, like only the GET or only the response.
 
On May 8, 2013, at 2:16 PM, Rodolfo Etore <rpon...@gmail.com> wrote:

Hello, thanks for your quickly response here,


2013/5/8 James Lay <jl...@slave-tothe-box.net>
On 2013-05-08 12:54, Rodolfo Etore wrote:
> Hello all,
>
> Can you please help me with the following situation:
>
> I have two sensors, our network team created a portchannel to connect
> both sensors on the same network, and now the situation we are facing
> is this, the traffic comes into one sensor and gets out trough the
> order sensor, this way snort is not matching any rules, so i would
> like to check with you if there is an way so we can inspect the
> traffic in some sort of stateless mode, because it only matches when
> traffic gets out in the same sensor it got in.
>
> Many thanks for your help.


By sensor are you meaning a different machine/snort instance/interface?
Could you describe it in a litter more detail?

A sensor is basically a machine, and each machine has one bridge with one snort instance running. The two machines have the very same configuration.
What happens is that in some situations we have the inbound packets trough one machine and the outbound packets trough the second machine, as mentioned early this way snort signature are not matching. 

James

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
--
Muito obrigado desde já
--
Muito obrigado desde já

Rodolfo Etore

unread,
May 10, 2013, 11:13:38 AM5/10/13
to
2013/5/9 beenph <bee...@gmail.com>
>
> On Thu, May 9, 2013 at 8:42 PM, James Lay <jl...@slave-tothe-box.net> wrote:
> >
> >>
> >
> > Hello boss, I do understand your point of view but this won't help us at
> > this point, i would like to know if there's a way i could set snort to match
> > with only fragments of the packet, like only the GET or only the response.
> >
> >>
>
> Its possible, but looking at previous e-mails in the thread you might
> want to rethink your IDS deployement
> before or after routing occurs to balancers.
>
> -elz
If is possible can you please let me know how i can get this done?
0 new messages