Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] Snort in Inline Mode on CentOS 6.3
512 views
Skip to first unread message
Okeowo, Ayo
Feb 6, 2013, 9:28:44 AM2/6/13
to
Hello Folks,
Has anyone successfully setup Snort 2.9.4 on CentOS 6.3 with functioning IPS(Inline Mode) using 2 interfaces (1 for sniffing traffic and 2nd for management)?
I'm having a few issues, although I haven't sat down to address it yet due to my day job sucking my time. The first issue is, if I use 1 interface and put Snort to Inline Mode, my drop rules don't work. Second, if I use 2 interfaces, both Alert and Drop rules cease to work and I get nothing on Snorby.
Any insight to this issue will be appreciated. Like I said I haven't sat down to troubleshoot this issue but your response will help.
Thanks.
Ayo
Has anyone successfully setup Snort 2.9.4 on CentOS 6.3 with functioning IPS(Inline Mode) using 2 interfaces (1 for sniffing traffic and 2nd for management)?
I'm having a few issues, although I haven't sat down to address it yet due to my day job sucking my time. The first issue is, if I use 1 interface and put Snort to Inline Mode, my drop rules don't work. Second, if I use 2 interfaces, both Alert and Drop rules cease to work and I get nothing on Snorby.
Any insight to this issue will be appreciated. Like I said I haven't sat down to troubleshoot this issue but your response will help.
Thanks.
Ayo
Y M
Feb 6, 2013, 10:28:08 AM2/6/13
to
You will need 3 interfaces. Two will be in transparent mode and the third will be used for management. When you run Snort in inline mode, you would use, for example: -i eth0:eth1, or the bridge if
you will be using a bridge and eth3 for management.
YM
YM
From: Okeowo, Ayo
Sent: 2/6/2013 6:22 PM
To: snort...@lists.sourceforge.net
Subject: [Snort-users] Snort in Inline Mode on CentOS 6.3
Y M
Feb 6, 2013, 10:56:40 AM2/6/13
to
It will be largely dependant on the output plugin you are using. In case of Snorby, although I don't use it, will eventually read from a database; MySQL. In this case, it is a practice to let Snort
output to unified2, and let barnyard2 parse unfied2 logs into the database, from which Snorby will read data.
Hope you get your setup done.
YM
Hope you get your setup done.
YM
From: Okeowo, Ayo
Sent: 2/6/2013 6:43 PM
To: Y M
Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3
YM,
Thanks for the response. I would have never have thought of increasing my interfaces (virtual interfaces) to 3 to make it work. I will try that when I get home and let you know.
So this will allow my drop and alert rules to pop-up on Snorby? Once it works I will then go ahead and configure preprocessor etc.
And I also hope to combine my command line with --alert-before-pass switch.
Thanks for the response. I would have never have thought of increasing my interfaces (virtual interfaces) to 3 to make it work. I will try that when I get home and let you know.
So this will allow my drop and alert rules to pop-up on Snorby? Once it works I will then go ahead and configure preprocessor etc.
And I also hope to combine my command line with --alert-before-pass switch.
On Wed, Feb 6, 2013 at 10:28 AM, Y M <sn...@outlook.com> wrote:
You will need 3 interfaces. Two will be in transparent mode and the third will be used for management. When you run Snort in inline mode, you would use, for example: -i eth0:eth1, or the bridge if you will be using a bridge and eth3 for management.
YM
Y M
Feb 10, 2013, 11:54:28 AM2/10/13
to
a. How are you running Snort? In other words, what is the command you are using to run Snort?
b. Which DAQ are you using?
c. How is your drop rule setup?
d. When you stop Snort, what do the verdict statistics show?
Please when you send/reply do so for the whole group as there are awesome people here that are more experienced than I am, and other people benefit as well.
Thanks.
YM
b. Which DAQ are you using?
c. How is your drop rule setup?
d. When you stop Snort, what do the verdict statistics show?
Please when you send/reply do so for the whole group as there are awesome people here that are more experienced than I am, and other people benefit as well.
Thanks.
YM
YM,
Sorry I'm just getting back to you after I posted my question. I've been able to add additional 1 more interface and the 2 interfaces are now in promiscuous mode. I've confirmed there are packets traversing the interfaces but my rule is not dropping any
traffic request to let's say port 80 and 443.
What could I be possibly be missing? Still looking through though to see if I find anything that could be causing the issue.
Your response will be much appreciated.
On Wed, Feb 6, 2013 at 10:56 AM, Y M <sn...@outlook.com> wrote:
It will be largely dependant on the output plugin you are using. In case of Snorby, although I don't use it, will eventually read from a database; MySQL. In this case, it is a practice to let Snort output to unified2, and let barnyard2 parse unfied2 logs into the database, from which Snorby will read data.
Hope you get your setup done.
YM
Y M
Feb 10, 2013, 12:28:01 PM2/10/13
to
Have you tried adding --daq-mode inline in your command?
YM
YM
From: Okeowo, Ayo
Sent: 2/10/2013 8:12 PM
To: Y M; snort...@lists.sourceforge.net
Subject: Fwd: [Snort-users] Snort in Inline Mode on CentOS 6.3
---------- Forwarded message ----------
From: Okeowo, Ayo <gad...@cyberdrobe.com>
Date: Sun, Feb 10, 2013 at 12:11 PM
Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3
From: Okeowo, Ayo <gad...@cyberdrobe.com>
Date: Sun, Feb 10, 2013 at 12:11 PM
Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3
To: Y M <sn...@outlook.com>
Below is what I have.
{Q1::Answer}
my snort command is:-
snort -c /etc/snort/snort.conf --daq afpacket -i eth0:eth2 -Q -A console
{Q2::Answer}
I'm using DAQ mode: --daq afpacket
{Q3::Answer - drop rule reside in the local.rules}
drop tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"Block Web Traffic from Outside"; classtype:web-application-attack; metadata:service http; flow:established,to_
server; sid:1000008; rev:2;)
{Q4::Answer}
Verdicts:
Allow: 8115288 ( 98.956%)
Block: 640 ( 0.008%)
Replace: 252 ( 0.003%)
Whitelist: 0 ( 0.000%)
Blacklist: 37 ( 0.000%)
Ignore: 0 ( 0.000%)
On Sun, Feb 10, 2013 at 11:54 AM, Y M <sn...@outlook.com> wrote:
a. How are you running Snort? In other words, what is the command you are using to run Snort?
b. Which DAQ are you using?
c. How is your drop rule setup?
d. When you stop Snort, what do the verdict statistics show?
Please when you send/reply do so for the whole group as there are awesome people here that are more experienced than I am, and other people benefit as well.
Thanks.
YM
Okeowo, Ayo
Feb 10, 2013, 12:30:46 PM2/10/13
to
No, I haven't added the switch to my command line. Let me try that and will let you know.
On Sun, Feb 10, 2013 at 12:28 PM, Y M <sn...@outlook.com> wrote:
Have you tried adding --daq-mode inline in your command?
YM
Y M
Feb 10, 2013, 12:40:14 PM2/10/13
to
Sorry I overlooked your verdicts:
"Block: 640 ( 0.008%)"
Which means Snort has blocked 640 packets out all the packets Snort analyzed.
I would start testing on more simple rules, like the icmp-protocol ping and then move on to more complex rules.
YM
"Block: 640 ( 0.008%)"
Which means Snort has blocked 640 packets out all the packets Snort analyzed.
I would start testing on more simple rules, like the icmp-protocol ping and then move on to more complex rules.
YM
Okeowo, Ayo
Feb 10, 2013, 1:01:41 PM2/10/13
to
Made a little progress. the rule now shows as an alert both in my snort alert and snorby but I snot blocking anything. I will write a simple rule to block icmp and udp then will see what happens.
On Sun, Feb 10, 2013 at 12:40 PM, Y M <sn...@outlook.com> wrote:
Sorry I overlooked your verdicts:
"Block: 640 ( 0.008%)"
Which means Snort has blocked 640 packets out all the packets Snort analyzed.
I would start testing on more simple rules, like the icmp-protocol ping and then move on to more complex rules.
YM
Okeowo, Ayo
Feb 10, 2013, 1:31:07 PM2/10/13
to
YM,
It's working now. I think I know why my drop wasn't working at first. I commented out (using #) my alert rules above my new drop rules. So I was getting the alerts but nothing was blocked as a result of that.
One thing I will like someone to clarify is this, when my snort is in inline mode, I don't need any alert rules any more, instead I will use the drop, activate etc rules which will still generate alerts either way, according to Snort manual?
0 new messages