[Snort-users] Odp: Re: Snort inline with Squid
Robert Lasota
Dnia Piątek, 24 Kwietnia 2015 13:58 James Lay <jl...@slave-tothe-box.net> napisał(a)
On Fri, 2015-04-24 at 09:33 +0200, Robert Lasota wrote:
Hi,Two interfaces? One internal net, one external net?
Well, I have problem with running this both apps together on router. Snort (as IPS) inline gets traffic from iptables (QUEUE option), and Squid transparent also (from PREROUTING), and it turned out there is problem to rinning both in that case. I tried these combinations of iptables:
# for Snort
$iptables -I FORWARD -p tcp --dport 80 -j QUEUE
# for Squid
$iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
$iptables -I FORWARD -p tcp --dport 80 -j QUEUE
$iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
$iptables -I OUTPUT -p tcp --dport 80 -j QUEUE
$iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
.. and nothing. In all cases or Squid doesn't work or Snort.
Does somebody have any idea how to solve this difficult case ? I would be appreciated.
Robert
James
Yes, there are 2 nics, one for internet and one for LAN.
Robert
Robert Lasota
Dnia Piątek, 24 Kwietnia 2015 17:53 James Lay <jl...@slave-tothe-box.net> napisał(a)
So my setup is I have transparent proxy that's listening on eth0
(192.168.bleh) that forwards out ppp0 (external IP). This takes
internal clients and transparently proxies them. If that's your setup,
here's how I would do it.
Start snort:
sudo snort -Q -D --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
snort.conf
Snort iptables first:
$iptables -t mangle -I FORWARD -i eth0 -p tcp --dport 80 -j NFQUEUE
--queue-num 1
$iptables -t mangle -I OUTPUT -i eth0 -p tcp --dport 80 -j NFQUEUE
--queue-num 1
Now for Squid
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
This should get you what you need, however keep in mind that snort will
need to be started first, and because you're sending ONLY port 80 to the
NFQUEUE, that's all snort will see as that's all that's going to the
queue. Lastly, you'll need to modify your rules that you want do drop
traffic to reflect drop instead of alert...you'll get an alert in your
unified (if you're doing that) or fast file (if you're doing that as
well) either way with drop or alert, but drop will actively drop the
connection. Check the link below for more info:
http://www.iptables.info/en/structure-of-iptables.html#MANGLETABLE <
scroll up to get a nifty diagram.
Hope that helps.
James
Hi,
I did as you said and don't work. Squid is blocking but Snort not working, I mean instead of display alert page it shows some Squid error page "url cannot be retrivered".
My commands was:
snort -Q -D --daq nfq --daq-var device=eth1 --daq-var queue=1 -c /opt/etc/snort/snort.conf
iptables -t mangle -I FORWARD -i eth1 -p tcp --dport 80 -j NFQUEUE --queue-num 1
iptables -t mangle -I OUTPUT -o eth1 -p tcp --dport 80 -j NFQUEUE --queue-num 1
eth1 - LAN interface
What is interesting , in above case no packets got in rules in mangle table.. zero:
Chain FORWARD (policy ACCEPT 893 packets, 403K bytes)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE tcp -- eth1 *
0.0.0.0/0 0.0.0.0/0 tcp dpt:80 NFQUEUE num 1
Chain OUTPUT (policy ACCEPT 5009 packets, 3240K bytes)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE tcp -- * eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 NFQUEUE num 1
I tried add to mangle rules without interface:
iptables -t mangle -I FORWARD -p tcp --dport 80 -j NFQUEUE --queue-num 1
iptables -t mangle -I OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
and now packets got only to OUTPUT chain:
Chain FORWARD (policy ACCEPT 12 packets, 989 bytes)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE tcp -- * *
0.0.0.0/0 0.0.0.0/0 tcp dpt:80 NFQUEUE num 1
Chain OUTPUT (policy ACCEPT 1855 packets, 645K bytes)
pkts bytes target prot opt in out source destination
23 5563
NFQUEUE tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 NFQUEUE num 1
..but still is an error "url cannot be retrivered"
Robert
James Lay
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort...@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Ok....I'll dust off the dev box and run it through some tests...stay tuned.
James
James Lay
------------------------------------------------------------------------------
So ok...this was fun and weird at the same time. Here's the setup, which, though not routing, should get you there. So here's the setup:
Workstation (192.168.1.2) <switch> Router/Bridge (192.168.1.9, two NIC's bridged to br0) <(crossover cable> (we'll pretend it's the Internet) (192.168.1.73).
192.168.1.9 is running snort and squid, squid listening on http_port 3128 and https_port 3129. 192.168.1.73 is running apache listening on ports 80 and 443. Snort line:
sudo snort -Q -A cmg -c snort/snort.conf --daq nfq --daq-mode inline --daq-var device=br0 --daq-var queue=1 -k none
snort rule (in local.rules, the only ruleset enabled):
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get"; content:"index"; http_uri; sid:1000003; rev:1;)
The below magic combination work:
sudo iptables -t mangle -I PREROUTING -j NFQUEUE --queue-num 1
sudo iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1
sudo iptables -t nat -A PREROUTING -i br0 -s 192.168.1.2 -p tcp --dport 80 -j REDIRECT --to-port 3128
[09:20:22 iMac:~$] wget http://192.168.1.73/index
--2015-04-26 09:20:41-- http://192.168.1.73/index
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... ^C
Apr 26 09:20:44 analysis squid: 192.168.1.2 - - [26/Apr/2015:09:20:44 -0600] "GET http://192.168.1.73/index HTTP/1.1" 0 0 TCP_MISS_ABORTED:ORIGINAL_DST - - -
04/26-09:20:42.843965 [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 192.168.1.9:43256 -> 192.168.1.73:80
Stream reassembled packet
04/26-09:20:42.843965 192.168.1.9:43256 -> 192.168.1.73:80
TCP TTL:64 TOS:0x0 ID:14977 IpLen:20 DgmLen:277 DF
***A**** Seq: 0xF8747E23 Ack: 0x127ADA9C Win: 0x7580 TcpLen: 32
47 45 54 20 2F 69 6E 64 65 78 20 48 54 54 50 2F GET /index HTTP/
31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 1.1..User-Agent:
Yet choosing something other than index gets the expected results:
[09:20:43 iMac:~$] wget http://192.168.1.73/bleh
--2015-04-26 09:22:05-- http://192.168.1.73/bleh
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2015-04-26 09:22:05 ERROR 404: Not Found.
Apr 26 09:22:06 analysis squid: 192.168.1.2 - - [26/Apr/2015:09:22:06 -0600] "GET http://192.168.1.73/bleh HTTP/1.1" 404 543 TCP_MISS:ORIGINAL_DST - - -
I tested other combinations, but none of them worked. Whey the above combo of mangle PREROUTING AND OUTPUT works I haven't a clue. The above will pipe ALL traffic through snort...if that's not what you want just specify the port as you'd like. What I like about the above is the fact that it runs snort hybrid, so rules with drop will drop, rules with alert will only alert. This will also keep most firewall rules intact as the mangle table works before your standard "filter" tables. Hope that helps.
James