[Snortsam-discussion] Extending block for host issue
Mark Clift
mark.clift at usitek.com
Thu May 8 08:32:32 EDT 2008
Do the iptables rules created by Snortsam look correct? Can you manually
create an ICMP rule that works as expected? How do the two rules differ?
Best Regards,
Mark
-----Original Message-----
From: snortsam-discussion-bounces at snortsam.net
[mailto:snortsam-discussion-bounces at snortsam.net] On Behalf Of Rachmat
Hidayat Al-Anshar
Sent: Thursday, May 08, 2008 6:46 AM
To: snortsam-discussion at snortsam.net
Subject: Re: [Snortsam-discussion] Extending block for host issue
I have been checked to see wheter iptables's rule
exists after snortsam reports the block. As a result
I find that those rules are exist.
So, why the traffic of ping still continue if iptables
really make a rules to block the source ip address?
what should I do?
I didn't find this kind of problem when I using the
pre-patched snort (named as snort-snortsam-2.7.0).
But, every time I try to patching the snort source
distribution file with snortsam-patch file manually,
this kind of problem always occur.
Is it another snort pre patched for a latest stable
version of snort (snort 2.8.0 or 2.8.1)???
During the time working on implementation of IDS and
active response with snort and snortsam, I've find so
many part of information that I've missed. This kind
of information, wasn't clearly described on README
or another official manual. as an example, there is
some warning or error messages that I have
never been find when I applying the same process on
Linux environment.
Regarding to this, is there anyone who ever
successfully applying snortsam on OpenBSD 4.2
environment? please share your experience with me.
or any kind of clear references (represented
as a hot-to tutorial or some kind of a log created
when you applying this process) on OpenBSD 4.2 ?!
it would be great, if it can really saving my times.
So, I really do need your help.
Thanks in advance.
Regard
Matt
> snortsam reports the block?
--- Rachmat Hidayat Al-Anshar
<rachmat_hidayat_02 at yahoo.com> wrote:
> Hi Mark :)
> Thanks for replying.
>
> > Is the iptables rule being created?
> yes absolutely, I always "tailing" snortsam.log to
> know what is really snortsam
> doing. In snortsam.conf, clearly printed that
> iptables successfully inserting
> a new rules to the forward and input chains. I have
> no idea but it seems
> didn't work at all.
>
> > Have you checked to see if the rule exists after
> snortsam reports the block?
> I am not quite sure.. I'll check it for soon.
>
> > Have you tried using any other distribution?
> Before using TSL, I using OpenBSD. Now i got
> frustrated because no one
> can help. Now I'm back using OpenBSD.
>
> Thanks in advance
> Regard
> Matt
>
>
> Mark Clift <mark.clift at usitek.com> wrote:
> Unfortunately I cannot offer much help as I am not
> familiar with TSL but
> have some questions.
>
> Best Regards,
>
> Mark
>
> -----Original Message-----
> From: snortsam-discussion-bounces at snortsam.net
> [mailto:snortsam-discussion-bounces at snortsam.net] On
> Behalf Of Rachmat
> Hidayat Al-Anshar
> Sent: Monday, May 05, 2008 10:36 PM
> To: rachmat_hidayat_02 at yahoo.com;
> Snortsam-discussion at snortsam.net
> Subject: Re: [Snortsam-discussion] Extending block
> for host issue
>
> Hello?
> Can anyone help me?
> I do really need help here :'( . Until now,
> snortsam's log file
> still contain a lot of statement that the ip address
> of attacker has
> successfully blocked. But the traffic of ping it
> self still well working
> hitting the target. What should i do, so i can
> really block the ping
> traffic?
>
> Please help.
> Regard.
> Matt
>
> Rachmat Hidayat Al-Anshar wrote:
> > I just don't get it Frank, when i try to issuing
> ping, then
> snortsam.log telling me that, the source ip has
> blocked, with adding an
> iptables rules. But, the traffic of ping it self,
> still continue. It
> seems that snortsam/iptables didn't make it to
> actually block the
> traffic. There is a time,when i get the traffic of
> ping being blocked by
> snortsam. It giving me a 'request time out' stat as
> result.
> > Rachmat Hidayat Al-Anshar wrote:
> >> Hi Frank, thanks for replying :)
> >> but why snortsam didn't block the icmp traffic at
> all? Its just
> print on the log file that the ip of x.x.x.x has
> successfully blocked,
> and for the next moment, its print that 'extending
> block for that
> host'?
> >> Frank Knobbe wrote:
> >>> On Sat, 2008-05-03 at 00:19 -0700, Rachmat
> Hidayat Al-Anshar wrote:
> >>>> Then from another machine, I try to pinging one
> of my client
> machine,
> >>>> with:
> >>>>
> >>>> ping -t x.x.x.x
> >>>>
> >>>>
> >>>> Then, from snortsam.log, I got this kind of
> messages "..Extending
> >>>> block for host
> >>>> x.x.x.x ..". And snortsam's agent on firewall
> machine didn't block
> the
> >>>> ping traffic.
> >>>>
> >>>> Now, what should I do?
> >>> Well, Snortsam has already blocked that address.
> Your repeated
> attempt
> >>> is just extending the existing block. Check the
> log file for the
> first
> >>> occurrence of the block, or ping an IP that
> hasn't been pinged
> before.
> >>> -Frank
> >>> _______________________________________________
> >>> Snortsam-discussion mailing list
> >>> Snortsam-discussion at snortsam.net
> >>>
>
http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
> >>
>
________________________________________________________________________
> ____________
> >> Be a better friend, newshound, and
> >> know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> >> _______________________________________________
> >> Snortsam-discussion mailing list
> >> Snortsam-discussion at snortsam.net
> >>
>
http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
> >
>
________________________________________________________________________
> ____________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
>
>
>
________________________________________________________________________
> ____________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
>
http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
> DISCLAIMER:
> This transmission may contain information that is
> privileged, confidential and/or exempt from
> disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the
> information contained herein (including any reliance
> thereon) is STRICTLY PROHIBITED. If you received
> this transmission in error, please immediately
> contact the sender and destroy the material in its
> entirety, whether in electronic or hard copy format.
> Internet communications cannot be guaranteed to be
> timely, secure, error or virus-free. The sender does
> not accept liability for any errors or omissions.
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
>
http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
>
>
> ---------------------------------
> Be a better friend, newshound, and know-it-all with
> Yahoo! Mobile. Try it now.>
_______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
>
http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
________________________________________________________________________
____________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
_______________________________________________
Snortsam-discussion mailing list
Snortsam-discussion at snortsam.net
http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
More information about the Snortsam-discussion
mailing list