LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-25-2006, 03:50 PM   #1
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,606

Rep: Reputation: 53
Question snort inline 2.6.0.2 enable_tcpopt_experimental_drops not working


Hi, I was getting a lot (2 every 5min) Experimental Tcp Option alerts for a few hours
The snort inline that I configured is *not* dropping these packets
(or at least shorewall is not telling me it is, nor snort)

Alerts
11/25-time [**] [116:58:1] (snort_decoder): Experimental Tcp Options found [**] {TCP} 2xxx source:scrport -> 192xxxx:destport
I know not a drama, but I want these packets to drop, a learning exercise

Setup Mandriva 2007, custom compiled kernel to remove lots of not used modules.
Internet ---> etho --> ipqueue -> snort inline --> shorewall --> application

snort 2.6.0.2 compiled with
./configure --enable-rulestate --enable-inline --enable-dynamicplugin

Can anybody please point me to what to read / look at.
There is something I must not understand about snort.conf, even after reading the pdf docs.
Maybe something about the way "reset" works with mac addresses?

Thanks

extract of snort.conf
Code:
var HOME_NET 192.x.x.0/24
# If running an iptables firewall with snort in InlineMode() we can now
# perform resets via a physical device. We grab the indev from iptables
# and use this for the interface on which to send resets. This config
# option takes an argument for the src mac address you want to use in the
# reset packet.  This way the bridge can remain stealthy. If the src mac
# option is not set we use the mac address of the indev device. If we
# don't set this option we will default to sending resets via raw socket,
# which needs an ipaddress to be assigned to the int.
# config layer2resets: 00:06:76:DD:5F:E3
# I never entered the mac of eth0 above. I cannot understand if it is required
config enable_decode_drops
config enable_tcpopt_experimental_drops
config enable_tcpopt_obsolete_drops
config enable_tcpopt_drops
config enable_ipopt_drops
Tac of the log when starting snort
Code:
Nov 24 21:01:37 localhost snort[7394]: Not Using PCAP_FRAMES
Nov 24 21:01:37 localhost snort[7394]: Snort initialization completed successfully (pid=7394)
Nov 24 21:01:37 localhost snort[7394]: Cannot set uid and gid when running Snort in inline mode.
Nov 24 21:01:37 localhost snort[7394]: Daemon initialized, signaled parent pid: 7382
Nov 24 21:01:37 localhost snort[7382]: Daemon parent exiting
Nov 24 21:01:37 localhost snort[7394]: Writing PID "7394" to file "/var/run//snort_eth0.pid"
Nov 24 21:01:37 localhost snort[7394]: PID path stat checked out ok, PID path set to /var/run/
Nov 24 21:01:37 localhost snort[7394]: Var 'eth0_ADDRESS' redefined
Nov 24 21:01:37 localhost kernel: audit(1164402097.474:4): dev=eth0 prom=256 old_prom=0 auid=4294967295
Nov 24 21:01:37 localhost kernel: device eth0 entered promiscuous mode
Nov 24 21:01:37 localhost kernel: eth0: Promiscuous mode enabled.
Nov 24 21:01:37 localhost snort[7382]: Initializing daemon mode
Nov 24 21:01:37 localhost kernel: audit(1164402097.471:3): dev=eth0 prom=0 old_prom=256 auid=4294967295
Nov 24 21:01:37 localhost kernel: device eth0 left promiscuous mode
Nov 24 21:01:37 localhost snort[7382]: , value = 192.168.1.0/255.255.255.0
Nov 24 21:01:37 localhost snort[7382]: Var 'eth0_ADDRESS' defined, value len = 25 chars
Nov 24 21:01:37 localhost kernel: audit(1164402097.435:2): dev=eth0 prom=256 old_prom=0 auid=4294967295
Nov 24 21:01:37 localhost kernel: device eth0 entered promiscuous mode
Nov 24 21:01:37 localhost kernel: eth0: Promiscuous mode enabled.
Nov 24 21:01:37 localhost snort[7382]: Warning: flowbits key 'tagged' is set but not ever checked.
Nov 24 21:01:37 localhost snort[7382]:       Drop on X-Link2State Alert: NO
Nov 24 21:01:37 localhost snort[7382]:       X-Link2State Alert:         YES
Nov 24 21:01:37 localhost snort[7382]:       Max Response Line Length:   0
Nov 24 21:01:37 localhost snort[7382]:       Max Header Line Length:     0
Nov 24 21:01:37 localhost snort[7382]:       Max Command Length:         0
Nov 24 21:01:37 localhost snort[7382]:       Ignore Alerts:              NO
Nov 24 21:01:37 localhost snort[7382]:       Ignore TLS Data:            NO
Nov 24 21:01:37 localhost snort[7382]:       Ignore Data:                NO
Nov 24 21:01:37 localhost snort[7382]:       Normalize Spaces:           YES
Nov 24 21:01:37 localhost snort[7382]:       Inspection Type:            STATEFUL
Nov 24 21:01:37 localhost snort[7382]:
Nov 24 21:01:37 localhost snort[7382]: 25
Nov 24 21:01:37 localhost snort[7382]:       Ports:
Nov 24 21:01:37 localhost snort[7382]: SMTP Config:
Nov 24 21:01:37 localhost snort[7382]:         Max Response Length: 256
Nov 24 21:01:37 localhost snort[7382]:         Check for Telnet Cmds: YES alert: YES
Nov 24 21:01:37 localhost snort[7382]:         Check for Bounce Attacks: YES alert: YES
Nov 24 21:01:37 localhost snort[7382]:       FTP Client: default
Nov 24 21:01:37 localhost snort[7382]:         Identify open data channels: YES
Nov 24 21:01:37 localhost snort[7382]:         Check for Telnet Cmds: YES alert: YES
Nov 24 21:01:37 localhost snort[7382]:         Ports: 21
Nov 24 21:01:37 localhost snort[7382]:       FTP Server: default
Nov 24 21:01:37 localhost snort[7382]:     FTP CONFIG:
Nov 24 21:01:37 localhost snort[7382]:       Normalize: YES
Nov 24 21:01:37 localhost snort[7382]:       Are You There Threshold: 200
Nov 24 21:01:37 localhost snort[7382]:       Ports: 23
Nov 24 21:01:37 localhost snort[7382]:     TELNET CONFIG:
Nov 24 21:01:37 localhost snort[7382]:       Continue to check encrypted data: NO
Nov 24 21:01:37 localhost snort[7382]:       Check for Encrypted Traffic: YES alert: YES
Nov 24 21:01:37 localhost snort[7382]:       Inspection Type: stateful
Nov 24 21:01:37 localhost snort[7382]:     GLOBAL CONFIG
Nov 24 21:01:37 localhost snort[7382]: FTPTelnet Config:
Nov 24 21:01:37 localhost snort[7382]:   Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/
Nov 24 21:01:37 localhost snort[7382]: done
Nov 24 21:01:37 localhost snort[7382]:   Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
Nov 24 21:01:37 localhost snort[7382]: done
Nov 24 21:01:37 localhost snort[7382]:   Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so.
Nov 24 21:01:37 localhost snort[7382]: done
Nov 24 21:01:37 localhost snort[7382]:   Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
Nov 24 21:01:37 localhost snort[7382]: Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
Nov 24 21:01:37 localhost snort[7382]: done
Nov 24 21:01:37 localhost snort[7382]: Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
Nov 24 21:01:37 localhost snort[7382]: Log directory = /var/log/snort
Nov 24 21:01:37 localhost snort[7382]: Rule application order: ->activation->dynamic->pass->drop->sdrop->reject->alert->log
Nov 24 21:01:37 localhost snort[7382]: -------------------------------------------------------------------------------
Nov 24 21:01:37 localhost snort[7382]: | none
Nov 24 21:01:37 localhost snort[7382]: +-----------------------[suppression]------------------------------------------
Nov 24 21:01:37 localhost snort[7382]: | gen-id=1      sig-id=6385       type=Limit     tracking=src count=1   seconds=300
many more
Nov 24 21:01:37 localhost snort[7382]: | gen-id=1      sig-id=7532       type=Limit     tracking=src count=1   seconds=600
Nov 24 21:01:37 localhost snort[7382]: +-----------------------[thresholding-local]-----------------------------------
Nov 24 21:01:37 localhost snort[7382]: | none
Nov 24 21:01:37 localhost snort[7382]: +-----------------------[thresholding-global]----------------------------------
Nov 24 21:01:37 localhost snort[7382]: | memory-cap : 1048576 bytes
Nov 24 21:01:37 localhost snort[7382]: +-----------------------[thresholding-config]----------------------------------
Nov 24 21:01:37 localhost snort[7382]:
Nov 24 21:01:37 localhost snort[7382]: Tagged Packet Limit: 256
Nov 24 21:01:36 localhost snort[7382]:
Nov 24 21:01:36 localhost snort[7382]:     Number of Nodes:   3690
Nov 24 21:01:36 localhost snort[7382]:     Memcap (in bytes): 1000000
Nov 24 21:01:36 localhost snort[7382]:     Sensitivity Level: Low
Nov 24 21:01:36 localhost snort[7382]:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
Nov 24 21:01:36 localhost snort[7382]:     Detect Protocols:  TCP UDP ICMP IP
Nov 24 21:01:36 localhost snort[7382]: Portscan Detection Config:
Nov 24 21:01:36 localhost snort[7382]:     alert_multiple_requests: ACTIVE
Nov 24 21:01:36 localhost snort[7382]:     alert_incomplete: ACTIVE
Nov 24 21:01:36 localhost snort[7382]:     alert_large_fragments: ACTIVE
Nov 24 21:01:36 localhost snort[7382]:     alert_fragments: INACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Ports to decode RPC on: 111 32771
Nov 24 21:01:36 localhost snort[7382]: rpc_decode arguments:
Nov 24 21:01:36 localhost snort[7382]:       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
Nov 24 21:01:36 localhost snort[7382]:       Non-RFC Compliant Characters: NONE
Nov 24 21:01:36 localhost snort[7382]:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Nov 24 21:01:36 localhost snort[7382]:       IIS Delimiter: YES alert: NO
Nov 24 21:01:36 localhost snort[7382]:       Apache WhiteSpace: YES alert: NO
Nov 24 21:01:36 localhost snort[7382]:       Web Root Traversal: YES alert: YES
Nov 24 21:01:36 localhost snort[7382]:       Directory Traversal: YES alert: NO
Nov 24 21:01:36 localhost snort[7382]:       IIS Backslash: YES alert: NO
Nov 24 21:01:36 localhost snort[7382]:       Multiple Slash: YES alert: NO
Nov 24 21:01:36 localhost snort[7382]:       IIS Unicode: YES alert: YES
Nov 24 21:01:36 localhost snort[7382]:       UTF 8: OFF
Nov 24 21:01:36 localhost snort[7382]:       Base36: OFF
Nov 24 21:01:36 localhost snort[7382]:       Bare Byte: YES alert: YES
Nov 24 21:01:36 localhost snort[7382]:       %U Encoding: YES alert: YES
Nov 24 21:01:36 localhost snort[7382]:       Double Decoding: YES alert: YES
Nov 24 21:01:36 localhost snort[7382]:       Ascii: YES alert: NO
Nov 24 21:01:36 localhost snort[7382]:       Only inspect URI: NO
Nov 24 21:01:36 localhost snort[7382]:       Oversize Dir Length: 500
Nov 24 21:01:36 localhost snort[7382]:       Disable Alerting: NO
Nov 24 21:01:36 localhost snort[7382]:       Allow Proxy Usage: NO
Nov 24 21:01:36 localhost snort[7382]:       URI Discovery Strict Mode: NO
Nov 24 21:01:36 localhost snort[7382]:       Inspect Pipeline Requests: YES
Nov 24 21:01:36 localhost snort[7382]:       Max Chunk Length: 500000
Nov 24 21:01:36 localhost snort[7382]:       Flow Depth: 300
Nov 24 21:01:36 localhost snort[7382]:       Ports: 80 8080 8180
Nov 24 21:01:36 localhost snort[7382]:     DEFAULT SERVER CONFIG:
Nov 24 21:01:36 localhost snort[7382]:       IIS Unicode Map Codepage: 1252
Nov 24 21:01:36 localhost snort[7382]:       IIS Unicode Map Filename: /etc/snort/unicode.map
Nov 24 21:01:36 localhost snort[7382]:       Detect Proxy Usage:       NO
Nov 24 21:01:36 localhost snort[7382]:       Inspection Type:          STATELESS
Nov 24 21:01:36 localhost snort[7382]:       Max Pipeline Requests:    0
Nov 24 21:01:36 localhost snort[7382]:     GLOBAL CONFIG
Nov 24 21:01:36 localhost snort[7382]: HttpInspect Config:
Nov 24 21:01:36 localhost snort[7382]:     Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Nov 24 21:01:36 localhost snort[7382]:     Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Nov 24 21:01:36 localhost snort[7382]:     Flush behavior: Small (<255 bytes)
Nov 24 21:01:36 localhost snort[7382]:     Packet Sequence Overlap Limit: -1
Nov 24 21:01:36 localhost snort[7382]:     Reassembler Packet Preferance : Favor Old
Nov 24 21:01:36 localhost snort[7382]:     flush_data_diff_size: 500
Nov 24 21:01:36 localhost snort[7382]:     Flush stream on alert: INACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Zero out flushed packets: INACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Reassembler alerts: ACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Client reassembly: ACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Server reassembly: INACTIVE
Nov 24 21:01:36 localhost snort[7382]: Stream4_reassemble config:

Nov 24 21:01:36 localhost snort[7382]: WARNING /etc/snort/snort.conf(416) => flush_behavior set in config file, using old static flushpoints (
0)
Nov 24 21:01:36 localhost snort[7382]:     Server Data Inspection Limit: -1
Nov 24 21:01:36 localhost snort[7382]:     Midstream Drop Alerts: INACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Enforce TCP State: INACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Suspend period: 30
Nov 24 21:01:36 localhost snort[7382]:     Suspend threshold: 200
Nov 24 21:01:36 localhost snort[7382]:     Self preservation period: 90
Nov 24 21:01:36 localhost snort[7382]:     Self preservation threshold: 50
Nov 24 21:01:36 localhost snort[7382]:     State Protection: 0
Nov 24 21:01:36 localhost snort[7382]:     Async Link: 0
Nov 24 21:01:36 localhost snort[7382]:     TTL Limit: 5
Nov 24 21:01:36 localhost snort[7382]:     MinTTL: 1
Nov 24 21:01:36 localhost snort[7382]:     Log Flushed Streams: INACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Scan alerts: ACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Evasion alerts: INACTIVE
Nov 24 21:01:36 localhost snort[7382]:     State alerts: INACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Session cleanup count: 5
Nov 24 21:01:36 localhost snort[7382]:     Session count max: 8192 sessions
Nov 24 21:01:36 localhost snort[7382]:     Session memory cap: 8388608 bytes
Nov 24 21:01:36 localhost snort[7382]:     Session timeout: 30 seconds
Nov 24 21:01:36 localhost snort[7382]:     Session statistics: INACTIVE
Nov 24 21:01:36 localhost snort[7382]:     Stateful inspection: ACTIVE
Nov 24 21:01:36 localhost snort[7382]: Stream4 config:
Nov 24 21:01:36 localhost snort[7382]:     Bound Addresses: 0.0.0.0/0.0.0.0
Nov 24 21:01:36 localhost snort[7382]:     Fragment Problems: 1
Nov 24 21:01:36 localhost snort[7382]:     Fragment ttl_limit: 5
Nov 24 21:01:36 localhost snort[7382]:     Fragment min_ttl:   1
Nov 24 21:01:36 localhost snort[7382]:     Fragment timeout: 60 seconds
Nov 24 21:01:36 localhost snort[7382]:     Target-based policy: FIRST
Nov 24 21:01:36 localhost snort[7382]: Frag3 engine config:
Nov 24 21:01:36 localhost snort[7382]:     Fragment memory cap: 4194304 bytes
Nov 24 21:01:36 localhost snort[7382]:     Max frags: 65536
Nov 24 21:01:36 localhost snort[7382]: Frag3 global config:
Nov 24 21:01:36 localhost snort[7382]: `----------------------------------------------
Nov 24 21:01:36 localhost snort[7382]: | Overhead Bytes:  16400(%0.16)
Nov 24 21:01:36 localhost snort[7382]: | Rows  :          4099
Nov 24 21:01:36 localhost snort[7382]: | Memcap:          10485760
Nov 24 21:01:36 localhost snort[7382]: | Hash Method:     2
Nov 24 21:01:36 localhost snort[7382]: | Stats Interval:  0
Nov 24 21:01:36 localhost snort[7382]: ,-----------[Flow Config]----------------------
Nov 24 21:01:36 localhost snort[7382]: , value = rules
Nov 24 21:01:36 localhost snort[7382]: Var 'RULE_PATH' defined, value len = 5 chars
Nov 24 21:01:36 localhost snort[7382]:    .0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Nov 24 21:01:36 localhost snort[7382]:    [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0
/24,205.188.7.0/24,205.188.9
Nov 24 21:01:36 localhost snort[7382]:
Nov 24 21:01:36 localhost snort[7382]: Var 'AIM_SERVERS' defined, value len = 185 chars
Nov 24 21:01:36 localhost snort[7382]: , value = 1521
many more definitions
Nov 24 21:01:36 localhost snort[7382]: Var 'DNS_SERVERS' defined, value len = 14 chars
Nov 24 21:01:36 localhost snort[7382]: , value = any
Nov 24 21:01:36 localhost snort[7382]: Var 'EXTERNAL_NET' defined, value len = 3 chars
Nov 24 21:01:36 localhost snort[7382]: Parsing Rules file /etc/snort/snort.conf
 
Old 11-27-2006, 04:44 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Since Snort with inline enabled depends on Iptables it would be better for TS if you check and post output from lsmod and Iptables -nL showing it's got ip_queue/QUEUE chain working. Next restart Snort adding flags "Qv" to check and log if it's getting any packets and please post your full snort.conf (not excerpts) and your regular commandline to start Snort. Next check if your Snort rules is rewritten to use any of the drop/reject methods inline can use.
 
Old 11-27-2006, 07:18 AM   #3
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,606

Original Poster
Rep: Reputation: 53
Thanks, I will look into that (away from PC) and post exactly the info you requested.
I can already say (will try to prove it)
1) lsmod: ip_queue I know it is loaded (because I have a script that checks it is)
2) iptables: iptables does use QUEUE because I have a script that does
iptables_save , sed to replace any ACCEPT by QUEUE, then iptables_restore
based on the new script that uses QUEUE
3)Logging
Quote:
restart Snort adding flags "Qv" to check and log if it's getting any packets
This is done by default in /etc/init.d/snortd, so whenever I switch off home computer (once a day),
I get the breakdown %TCP,
P, no of packets etc. It does not say 0 packets

In that respect I am pretty sure snort inline/QUEUE and iptables works
together. Actually the integration of iptables & snort via QUEUE
is such that when I started setting up all that I could make
mistakes like not loading ip_queue or snort, and in both case
the internet connection would not work indeed ("broken chain effect").
Also I tested snort by injecting on the lan pings from the laptop
and setting up a snort rule which was alert on any icmp packet.

Quote:
Next check if your Snort rules is rewritten to use any of the drop/reject methods inline can use
I know they are not because there is this utility (perl or bash) script somewhere
that I need to run, and I have not run it.
I thought that enable_tcpopt_experimental_drops option
was kind of intrensic to snort or one of its pre-processor.
Is this where I went wrong?
 
Old 11-29-2006, 01:55 PM   #4
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,606

Original Poster
Rep: Reputation: 53
lsmod and full snort.conf
Code:
  lsmod | grep ip
ip_queue               12768  1
ipt_IFWLOG              5764  2
ipt_psd                46024  1
ip_set_iptree           9800  2
iptable_raw             3968  0
xt_multiport            5312  4
ipt_ULOG                9924  0
ipt_TTL                 4224  0
ipt_ttl                 3840  0
ipt_TOS                 4160  0
ipt_tos                 3520  0
ipt_TCPMSS              6144  0
ipt_set                 4544  2
ipt_SAME                4288  0
ipt_REJECT              7360  4
ipt_REDIRECT            3904  0
ipt_recent             12876  0
ipt_owner               3904  0
ipt_NETMAP              3904  0
ipt_MASQUERADE          5568  0
ipt_LOG                 9024  13
ipt_iprange             3776  0
ipt_hashlimit          11336  0
ipt_ECN                 5056  0
ipt_ecn                 4160  0
ipt_DSCP                4160  0
ipt_dscp                3584  0
ipt_CLUSTERIP          10820  0
ipt_ah                  3840  0
ipt_addrtype            3776  0
ip_set_portmap          6720  0
ip_set_macipmap         6724  0
ip_set_ipmap            6656  0
ip_set_iphash           9860  0
ip_set                 22556  11 ip_set_iptree,ipt_set,ip_set_portmap,ip_set_macipmap,ip_set_ipmap,ip_set_iphash
ip_nat_irc              4608  0
ip_nat_tftp             3712  0
ip_nat_ftp              5312  0
ip_conntrack_irc        8624  1 ip_nat_irc
ip_conntrack_tftp       6200  1 ip_nat_tftp
ip_conntrack_ftp        9968  1 ip_nat_ftp
iptable_nat             9540  0
ip_nat                 20268  8 ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,iptable_nat
ip_conntrack           56992  13 xt_state,xt_CONNMARK,xt_connmark,xt_conntrack,ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,ip_conntrack_irc,ip_conntrack_tftp,ip_conntrack_ftp,iptable_nat,ip_nat
nfnetlink               8920  2 ip_nat,ip_conntrack
iptable_mangle          4800  1
iptable_filter          4992  1
ip_tables              16324  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
x_tables               16644  39 ipt_IFWLOG,ipt_psd,xt_tcpudp,xt_state,xt_pkttype,xt_CLASSIFY,xt_CONNMARK,xt_MARK,xt_length,xt_connmark,xt_policy,xt_multiport,xt_conntrack,ipt_ULOG,ipt_TTL,ipt_ttl,ipt_TOS,ipt_tos,ipt_TCPMSS,ipt_set,ipt_SAME,ipt_REJECT,ipt_REDIRECT,ipt_recent,ipt_owner,ipt_NETMAP,ipt_MASQUERADE,ipt_LOG,ipt_iprange,ipt_hashlimit,ipt_ECN,ipt_ecn,ipt_DSCP,ipt_dscp,ipt_CLUSTERIP,ipt_ah,ipt_addrtype,iptable_nat,ip_tables
Code:
 
#--------------------------------------------------
#   http://www.snort.org     Snort 2.6.0 config file
# $Id: snort.conf,v 1.160.2.9 2006/06/09 15:12:57 mwatchinski Exp $
#
###################################################
# Step #1: Set the network variables:
var HOME_NET 192.168.1.0/24

# Set up the external network addresses as well.  A good start may be "any"
var EXTERNAL_NET any

# Configure your server lists.  This allows snort to only look for attacks to
# systems that have a service up.  Why look for HTTP attacks if you are not
# running a web server?  This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.  

# List of DNS servers on your network 
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SNMP_SERVERS $HOME_NET

# Configure your service ports.  This allows snort to look for attacks destined
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521

# AIM servers.  AOL has a habit of adding new AIM servers, so instead of
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

# Path to your rules files (this can be a relative path)
var RULE_PATH rules

# Configure the snort decoder
# ============================
# Stop generic decode events:
# config disable_decode_alerts
# Stop Alerts on experimental TCP options
# config disable_tcpopt_experimental_alerts
# Stop Alerts on obsolete TCP options
# config disable_tcpopt_obsolete_alerts
#
# config disable_tcpopt_ttcp_alerts
# config disable_tcpopt_alerts
# config disable_ipopt_alerts

# Configure the detection engine
# ===============================
#
# config detection: search-method lowmem

# Configure Inline Resets
# ========================
# If running an iptables firewall with snort in InlineMode() we can now
# perform resets via a physical device. We grab the indev from iptables
# and use this for the interface on which to send resets. This config
# option takes an argument for the src mac address you want to use in the
# reset packet.  This way the bridge can remain stealthy. If the src mac
# option is not set we use the mac address of the indev device. If we
# don't set this option we will default to sending resets via raw socket,
# which needs an ipaddress to be assigned to the int.
#
# config layer2resets: 00:06:76:DD:5F:E3
config enable_decode_drops
config enable_tcpopt_experimental_drops
config enable_tcpopt_obsolete_drops
config enable_tcpopt_drops
config enable_ipopt_drops


###################################################
# Step #2: Configure dynamic loaded libraries
#
# (same as command line option --dynamic-preprocessor-lib-dir)
#
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
#
#
# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
#
# Load all dynamic rules libraries from the install path
# (same as command line option --dynamic-detection-lib-dir)
#
# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
#
# Load a specific dynamic rule library from the install path
# (same as command line option --dynamic-detection-lib)
#
# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
#

###################################################
# Step #3: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>

# Configure Flow tracking module
#
preprocessor flow: stats_interval 0 hash 2

# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation.  This plugin will also detect


#preprocessor frag2

# frag3: Target-based IP defragmentation 
# --------------------------------------
#
# Frag3 is a brand new IP defragmentation preprocessor that is capable of
# performing "target-based" processing of IP fragments.  Check out the

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies


# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules.  Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc.  Can statefully detect various portscan
#   detect_scans - stream4 will detect stealth portscans and generate alerts
#                  when it sees them when this option is set
#   detect_state_problems - detect TCP state problems, this tends to be very
#
#   disable_evasion_alerts - turn off the possibly noisy mitigation of
#                            overlapping sequences.
#
#
#  SID     Event description
# -----   -------------------
#   1       Stealth activity
#   2       Evasive RST packet
#   3       Evasive TCP packet retransmission
#   4       TCP Window violation
#   5       Data on SYN packet
#   6       Stealth scan: full XMAS
#   7       Stealth scan: SYN-ACK-PSH-URG
#   8       Stealth scan: FIN scan
#   9       Stealth scan: NULL scan
#   10      Stealth scan: NMAP XMAS scan
#   11      Stealth scan: Vecna scan
#   12      Stealth scan: NMAP fingerprint scan stateful detect
#   13      Stealth scan: SYN-FIN scan
#   14      TCP forward overlap

preprocessor stream4: disable_evasion_alerts, detect_scans

# tcp stream reassembly directive
# no arguments loads the default configuration 
#   Only reassemble the client,
#   Only reassemble the default list of ports (See below),  
#   Give alerts for "bad" streams
#
preprocessor stream4_reassemble

# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual.  You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
# 
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
    iis_unicode_map unicode.map 1252 

preprocessor http_inspect_server: server default \
    profile all ports { 80 8080 8180 } oversize_dir_length 500

#
#  Example unique server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
#    ports { 80 3128 8080 } \
#    flow_depth 0 \
#    ascii no \
#    double_decode yes \
#    non_rfc_char { 0x00 } \
#    chunk_length 500000 \
#    non_strict \
#    oversize_dir_length 300 \
#    no_alerts


# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
#                            sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
#                       exceeds the current packet size

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.
#
# arguments:  
#   syntax:
#     preprocessor bo: noalert { client | server | general | snort_attack } \
#                      drop    { client | server | general | snort_attack }
#   example:
#     preprocessor bo: noalert { general server } drop { snort_attack }

# 
# The Back Orifice detector uses Generator ID 105 and uses the 
# following SIDS for that GID:
#  SID     Event description
# -----   -------------------
#   1       Back Orifice traffic detected
#   2       Back Orifice Client Traffic Detected
#   3       Back Orifice Server Traffic Detected
#   4       Back Orifice Snort Buffer Attack

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
# traffic.  It works in much the same way as the http_decode preprocessor,
# searching for traffic that breaks up the normal data stream of a protocol and
# replacing it with a normalized representation of that traffic so that the
# "content" pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
#
# DEPRECATED in favor of ftp_telnet dynamic preprocessor
#preprocessor telnet_decode
#
# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes telnet negotiation strings from telnet and
# ftp traffic.  It looks for traffic that breaks the normal data stream
# of the protocol, replacing it with a normalized representation of that
# traffic so that the "content" pattern matching keyword can work without
# requiring modifications.
#
# It also performs protocol correctness checks for the FTP command channel,
# and identifies open FTP data transfers.
#
# FTPTelnet has numerous options available, please read
# README.ftptelnet for help configuring the options for the global
# telnet, ftp server, and ftp client sections for the protocol.

#####
# Per Step #2, set the following to load the ftptelnet preprocessor
# dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>

preprocessor ftp_telnet: global \
   encrypted_traffic yes \
   inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
   normalize \
   ayt_attack_thresh 200

# This is consistent with the FTP rules as of 18 Sept 2004.
# CWD can have param length of 200
# MODE has an additional mode of Z (compressed)
# Check for string formats in USER & PASS commands
# Check nDTM commands that set modification time on the file.
preprocessor ftp_telnet_protocol: ftp server default \
   def_max_param_len 100 \
   alt_max_param_len 200 { CWD } \
   cmd_validity MODE < char ASBCZ > \
   cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
   chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
   telnet_cmds yes \
   data_chan

preprocessor ftp_telnet_protocol: ftp client default \
   max_resp_len 256 \
   bounce yes \
   telnet_cmds yes

# smtp: SMTP normalizer, protocol enforcement and buffer overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes SMTP commands by removing extraneous spaces.
# It looks for overly long command lines, response lines, and data header lines.
# It can alert on invalid commands, or specific valid commands.  It can optionally
# ignore mail data, and can ignore TLS encrypted data.
#
# It also performs protocol correctness checks for the FTP command channel,
# and identifies open FTP data transfers.
#
# SMTP has numerous options available, please read README.smtp for help
# configuring options.

#####
# Per Step #2, set the following to load the smtp preprocessor
# dynamicpreprocessor <full path to libsf_smtp_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>

preprocessor smtp: \
  ports { 25 } \
  inspection_type stateful \
  normalize cmds \
  normalize_cmds { EXPN VRFY RCPT } \
  alt_max_command_line_len 260 { MAIL } \
  alt_max_command_line_len 300 { RCPT } \
  alt_max_command_line_len 500 { HELP HELO ETRN } \
  alt_max_command_line_len 255 { EXPN VRFY }

# sfPortscan
# ----------
# Portscan detection module.  Detects various types of portscans and
# portsweeps.  For more information on detection philosophy, alert types,
# and detailed portscan information, please refer to the README.sfportscan.
#
# -configuration options-
#     proto { tcp udp icmp ip all }
#       The arguments to the proto option are the types of protocol scans that
#       the user wants to detect.  Arguments should be separated by spaces and
#       not commas.
#     scan_type { portscan portsweep decoy_portscan distributed_portscan all }
#       The arguments to the scan_type option are the scan types that the
#       user wants to detect.  Arguments should be separated by spaces and not
#       commas.
#     sense_level { low|medium|high }
#       There is only one argument to this option and it is the level of
#       sensitivity in which to detect portscans.  The 'low' sensitivity
#       detects scans by the common method of looking for response errors, such
#       as TCP RSTs or ICMP unreachables.  This level requires the least
#       tuning.  The 'medium' sensitivity level detects portscans and 
#       filtered portscans (portscans that receive no response).  This
#       sensitivity level usually requires tuning out scan events from NATed
#       IPs, DNS cache servers, etc.  The 'high' sensitivity level has
#       lower thresholds for portscan detection and a longer time window than
#       the 'medium' sensitivity level.  Requires more tuning and may be noisy
#       on very active networks.  However, this sensitivity levels catches the
#       most scans.
#     memcap { positive integer }
#       The maximum number of bytes to allocate for portscan detection.  The
#       higher this number the more nodes that can be tracked.
#     logfile { filename }
#       This option specifies the file to log portscan and detailed portscan
#       values to.  If there is not a leading /, then snort logs to the
#       configured log directory.  Refer to README.sfportscan for details on
#       the logged values in the logfile.
#     watch_ip { Snort IP List }
#     ignore_scanners { Snort IP List }
#     ignore_scanned { Snort IP List }
#       These options take a snort IP list as the argument.  The 'watch_ip'
#       option specifies the IP(s) to watch for portscan.  The 
#       'ignore_scanners' option specifies the IP(s) to ignore as scanners.
#       Note that these hosts are still watched as scanned hosts.  The
#       'ignore_scanners' option is used to tune alerts from very active
#       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned' option 
#       specifies the IP(s) to ignore as scanned hosts.  Note that these hosts
#       are still watched as scanner hosts.  The 'ignore_scanned' option is
#       used to tune alerts from very active hosts such as syslog servers, etc.
#     detect_ack_scans
#       This option will include sessions picked up in midstream by the stream
#       module, which is necessary to detect ACK scans.  However, this can lead to
#       false alerts, especially under heavy load with dropped packets; which is why
#       the option is off by default.
#
preprocessor sfportscan: proto  { all } \
                         memcap { 1000000 } \
                         sense_level { low }

# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring.  To make use of
# this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you.  Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection. 
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:

#  SID     Event description
# -----   -------------------
#   1       Unicast ARP request
#   2       Etherframe ARP mismatch (src)
#   3       Etherframe ARP mismatch (dst)
#   4       ARP cache overwrite attack

#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00

####################################################################
# Step #4: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.  General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments.  Win32 can also optionally
# specify a particular hostname/port.  Under Win32, the default hostname is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test

# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging and generating
# alerts from Snort, the "unified" format.  The unified format is a straight
# binary format for logging data out of Snort that is designed to be fast and
# efficient.  Used with barnyard (the new alert/log processor), most of the
# overhead for logging and alerting to various slow storage mechanisms such as
# databases or the network can now be avoided.  
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
#    filename - base filename to write to (current time_t is appended)
#    limit    - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128


# prelude: log to the Prelude Hybrid IDS system
# ---------------------------------------------
#
# profile = Name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info   = 4
# low    = 3
# medium = 2
# high   = anything below medium
#
# output alert_prelude
# output alert_prelude: profile=snort-profile-name


# You can optionally define new rule types and associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
#
# This example will create a rule type that will log to syslog and a mysql
# database:
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
#   (msg:"Someone is being LEET"; flags:A+;)

#
# Include classification & priority settings
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\classification.config
#

include classification.config

#
# Include reference systems
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\reference.config
#

include reference.config

####################################################################
# Step #5: Configure snort with config statements
#
# See the snort manual for a full set of configuration references
#
# config flowbits_size: 64
#
# New global ignore_ports config option from Andy Mullican
#
# config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53


####################################################################
# Step #6: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own custom snort
# rules.

#=========================================
# Include all relevant rulesets here 
# 
# The following rulesets are disabled by default:
#
#   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
#   chat, multimedia, and p2p
#            
# These rules are either site policy specific or require tuning in order to not
# generate false positive alerts in most enviornments.
# 
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================

#include $RULE_PATH/mytest.rules
#most rules removed bec memory hungry
include $RULE_PATH/spyware-put.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/bleeding-malware.rules


# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them. 
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\etc\threshold.conf
# Uncomment if needed.

Last edited by Emmanuel_uk; 11-29-2006 at 02:07 PM.
 
Old 11-29-2006, 02:05 PM   #5
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,606

Original Poster
Rep: Reputation: 53
iptables-save content

Here is iptables-save
It comes from shorewall, then iptables-save then replace accept by QUEUE then restore
the new iptables rules that now contains QUEUE.
This was designed under mdv2005, now running mdv 2007.
One main difference is this Ifw (interactive firewall) thingy.
I do not know how it works in details
PS: the tcpopt_experimental_drops did not exist I think in the
previous version of snort I was using in mdv 2005.

Code:
# iptables-save
# Generated by iptables-save v1.3.5 on Wed Nov 29 20:17:16 2006
*raw
:PREROUTING ACCEPT [3954:3955250]
:OUTPUT ACCEPT [3744:520932]
COMMIT
# Completed on Wed Nov 29 20:17:16 2006
# Generated by iptables-save v1.3.5 on Wed Nov 29 20:17:16 2006
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [205:12353]
:OUTPUT ACCEPT [205:12353]
COMMIT
# Completed on Wed Nov 29 20:17:16 2006
# Generated by iptables-save v1.3.5 on Wed Nov 29 20:17:16 2006
*mangle
:PREROUTING ACCEPT [3954:3955250]
:INPUT ACCEPT [3954:3955250]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3761:522021]
:POSTROUTING ACCEPT [3744:520932]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Wed Nov 29 20:17:16 2006
# Generated by iptables-save v1.3.5 on Wed Nov 29 20:17:16 2006
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Ifw - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:blacklst - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2fw - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2all - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j Ifw
-A INPUT -i eth0 -j eth0_in
-A INPUT -j Drop
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:DROP:" --log-level 6
-A INPUT -j DROP
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -j Drop
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:DROP:" --log-level 6
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 67:68 -j ACCEPT
-A OUTPUT -o eth0 -m policy --dir out --pol none -j fw2net
-A OUTPUT -j Drop
-A OUTPUT -j LOG --log-prefix "Shorewall:OUTPUT:DROP:" --log-level 6
-A OUTPUT -j DROP
-A Drop -p tcp -m tcp --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -j QUEUE
-A Drop -p icmp -m icmp --icmp-type 11 -j QUEUE
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -j DROP
-A Drop -p udp -m udp --dport 137:139 -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A Drop -p udp -m udp --dport 1900 -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -j DROP
-A Ifw -m set --set ifw_wl src -j RETURN
-A Ifw -m set --set ifw_bl src -j DROP
-A Ifw -m state --state INVALID,NEW -m psd --psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 2 --psd-hi-ports-weight 1 -j IFWLOG --log-prefix "SCAN"
-A Reject -p tcp -m tcp --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -j QUEUE
-A Reject -p icmp -m icmp --icmp-type 11 -j QUEUE
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -j reject
-A Reject -p udp -m udp --dport 137:139 -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -j reject
-A Reject -p udp -m udp --dport 1900 -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -j DROP
-A all2all -m state --state RELATED,ESTABLISHED -j QUEUE
-A all2all -j Drop
-A all2all -j LOG --log-prefix "Shorewall:all2all:DROP:" --log-level 6
-A all2all -j DROP
-A dropBcast -m pkttype --pkt-type broadcast -j DROP
-A dropBcast -m pkttype --pkt-type multicast -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_fwd -m state --state INVALID,NEW -m policy --dir in --pol none -j blacklst
-A eth0_fwd -p tcp -m policy --dir in --pol none -j tcpflags
-A eth0_fwd -o eth2 -m policy --dir out --pol none -j net2loc
-A eth0_fwd -o eth1 -m policy --dir out --pol none -j net2loc
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -m state --state INVALID,NEW -m policy --dir in --pol none -j blacklst
-A eth0_in -p udp -m udp --dport 67:68 -j QUEUE
-A eth0_in -p tcp -m policy --dir in --pol none -j tcpflags
-A eth0_in -m policy --dir in --pol none -j net2fw
-A fw2loc -m state --state RELATED,ESTABLISHED -j QUEUE
-A fw2loc -j QUEUE
-A fw2loc -j all2all
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -p icmp -j ACCEPT
-A fw2net -j ACCEPT
-A loc2fw -m state --state RELATED,ESTABLISHED -j QUEUE
-A loc2fw -j QUEUE
-A loc2fw -j all2all
-A logdrop -j LOG --log-prefix "Shorewall:logdrop:DROP:" --log-level 6
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j LOG --log-prefix "Shorewall:logreject:REJECT:" --log-level 6
-A logreject -j reject
-A net2all -m state --state RELATED,ESTABLISHED -j QUEUE
-A net2all -j Drop
-A net2all -j LOG --log-prefix "Shorewall:net2all:DROP:" --log-level 6
-A net2all -j DROP
-A net2fw -m state --state RELATED,ESTABLISHED -j QUEUE
-A net2fw -p icmp -j DROP
-A net2fw -p tcp -m tcp --dport 111 -j DROP
-A net2fw -p tcp -m tcp --dport 631 -j DROP
-A net2fw -p tcp -m tcp --dport 873 -j DROP
-A net2fw -p tcp -m tcp --dport 1000 -j DROP
-A net2fw -p tcp -m tcp --dport 32768 -j DROP
-A net2fw -p tcp -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6
-A net2fw -p tcp -j DROP
-A net2fw -j net2all
-A net2loc -m state --state RELATED,ESTABLISHED -j QUEUE
-A net2loc -p icmp -j DROP
-A net2loc -p tcp -m tcp --dport 111 -j DROP
-A net2loc -p tcp -m tcp --dport 631 -j DROP
-A net2loc -p tcp -m tcp --dport 873 -j DROP
-A net2loc -p tcp -m tcp --dport 1000 -j DROP
-A net2loc -p tcp -m tcp --dport 32768 -j DROP
-A net2loc -p tcp -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6
-A net2loc -p tcp -j DROP
-A net2loc -j net2all
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 192.xxxxx -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.xxxxx -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags
COMMIT
# Completed on Wed Nov 29 20:17:16 2006

Last edited by Emmanuel_uk; 11-29-2006 at 02:16 PM.
 
Old 12-01-2006, 05:58 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I only posted my comments because I saw nfo missing and you don't allow email. Since nobody replies I'll have a go at TSing this. I don't use inline so MMMV(VM) :-] Wherever I mention Snort I mean version 2.6.1.1 as that's the latest source.


about:Snort.conf
One comment in general. It seems you're running Snort with everything enabled including telnet, IM and IIS checks and such. Tuning your Snort configuration and ruleset to match services you provide should give you better performance (less filters for Snort to compare packets with).

# config layer2resets: 00:06:76D:5F:E3
# I never entered the mac of eth0 above. I cannot understand if it is required

If I read the manual right this has to do with the bridge remaining invisible. If Snort detects it is not using Libpcap but Libipq it *should* get the MAC address from Ipq or else revert to using raw sockets. For the latter you need to supply an IP address.

config enable_decode_drops
config enable_tcpopt_experimental_drops
config enable_tcpopt_obsolete_drops
config enable_tcpopt_drops

As far as I read the Snort source the only thing enable_tcpopt_experimental_drops relies on to be activated is enable_decode_drops, so this seems OK. Looking towards the preprocessors you don't seem to have some inline args enabled in stream4 like "inline_state", I think it should be.


about:log (tac).
Can't see no errors here.

I thought that enable_tcpopt_experimental_drops option was kind of intrensic to snort or one of its pre-processor. Is this where I went wrong?
I haven't read Snort source far enough to see if its part of say stream preproc so I guess you're right about that.


about:iptables-save
If I understand using inline mode correctly, packets to a certain route, destination and in both directions need to be read by Snort to understand the "conversation" and to return the "verdict" to ipq, so how these QUEUE target rules where set up to match that I can't see.

I suggest you test the setup by temporarily replacing the ruleset for one route (say DMZ). Remove all rules and allow everything to pass in both directions. Do not use any state or protocol filtering, except one source/destination rule for your remote test box so the DMZ ain't FFA. Both directions should only have one LOG and one QUEUE target. System logging must show packets going to and coming from the destination through the LOG rules (diagnosis and accounting). The QUEUE shoves everything in the direction of Snort unfiltered. Snort logging must show it receives the packets. Then use a remote box to generate traffic. In this situation it would be easier to test iptables rule flow and Snort preprocessor switches, just my idea.
 
Old 12-01-2006, 06:22 AM   #7
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,606

Original Poster
Rep: Reputation: 53
Thanks a lot for the comments. treally appreciated. I am digesting.
Would enabling email help?
Quote:
If I understand using inline mode correctly, packets to a certain route,
destination and in both directions need to be read by Snort to understand
the "conversation" and to return the "verdict" to ipq,
so how these QUEUE target rules where set up to match that I can't see.
Hum, so as I replaced ACCEPT by QUEUE, what I understand now (MMMV)
is that once in QUEUE packets goes to snort,
it either get dropped or accepted, then goes to the application/software receiving packet.
So when you speak of verdict, this waht is new to me,
a dropped packets is left with nowhere at all to go for "sentensing"/verdict,
not even back to ipq (I am not sure what you mean by ipq,
somewhere in the IP stack, iptables chains / whatever)
so I get no verdict in syslog. not in the sense of a drop taking place

I had one packet tcp opt bad length alarm.
When I shutdown PC, I had the normal snort summary
1 alert
1 logged
0 passed

I suppose this is where the "0 passed" is critical as
an information. The packet must have been droped.

It is a desktop, no DMZ and the like.
You are right, I am using too many options in snort
I will see how I can implement your idea of test.
Is there a way/tool to generate test packets with wrong tcp options?
I would then run service snortd stats
w/w option enable_tcpopt_experimental_drops and see if it differs
 
Old 12-01-2006, 08:04 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hum, so as I replaced ACCEPT by QUEUE, what I understand now (MMMV) is that once in QUEUE packets goes to snort, it either get dropped or accepted, then goes to the application/software receiving packet.
If I understand it all correctly the route is: ip_queue -> Snort -> ip_queue. Ip_queue kind of "holds" the packet and sends it to Snort. Snort filters and sends the verdict directly back to ip_queue, telling it to send the packet on or drop it.


I get no verdict in syslog. not in the sense of a drop taking place
Hmm. Havent read Ipq source. I could take a look.


I had one packet tcp opt bad length alarm.
When I shutdown PC, I had the normal snort summary
1 alert
1 logged
0 passed
I suppose this is where the "0 passed" is critical as
an information. The packet must have been droped.

Maybe focus on getting the general mechanism working first, for instance by trying to drop "easier" traffic like a HTTP rule?


It is a desktop, no DMZ and the like.
Oh, I thought you where running IPCOP or something.


Is there a way/tool to generate test packets with wrong tcp options?
Search Freshmeat, Sourceforge or Packetstorm for "packet generator" and you'll find lots of tools.


( Would enabling email help?
I sometimes email people to ask them to provide more info and an in-thread reply takes that thread off the zero reply list and out of LQ's auto-bump system. So, yes, it helps you receive messages that can be considered OT and if you receive lotsa crap then you can disable it again. )
 
Old 04-06-2007, 05:53 AM   #9
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,606

Original Poster
Rep: Reputation: 53
Thumbs up verdict now available in syslog for enable_tcpopt_experimental_drops

My question was about getting snort to feedback when it dropped packets
following the intrinsic options like

config enable_decode_drops, config enable_tcpopt_experimental_drops
config enable_tcpopt_obsolete_drops, config enable_tcpopt_drops, config enable_ipopt_drops

Well this is now a feature since 2.6.1.x (at the time I asked 2.6.0 was out)
to add the keyword drop in the log. Youppeee. (but this breaks snortsnarf, I posted a workaround on snort.org)

Log example

03/12-19:00:31.18 [Drop] [**] [116:54:1] (snort_decoder): Tcp Options found with bad lengths \
[**] {TCP} xx.xx.xx.x:yyyyy -> 192.xxx.x.xxx:yyyyy
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort 2.4.1 (inline IPS) +shorewall 2.4.x where best to insert the QUEUE in iptables Emmanuel_uk Linux - Security 5 10-18-2005 06:48 AM
C inline functions working linetnew Programming 0 04-17-2005 08:49 AM
Snort inline enyawix Linux - Networking 0 09-24-2004 03:10 PM
Snort stopped working gummimann Linux - Security 8 02-20-2004 06:17 AM
Snort no longer working - maybe? zuessh Linux - Security 1 02-12-2004 02:27 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration