[Snortsam-discussion] Extending block for host issue
Rachmat Hidayat Al-Anshar
rachmat_hidayat_02 at yahoo.com
Sat May 10 03:18:12 EDT 2008
Hi Matt, thanks for replying ;)
> If you do an iptables -L -n, what do you get?
there is some rules created by snortsam, blocking the
source that create the traffic.
> Can you add a rule by hand to block that will work?
> What happens when you run those commands you see
> snortsam issuing?
For a last 3 days, I try to analyzing my research,
and as a result, now I know that this kind of problem
exist because of my own mistakes (shame on me :"> ).
Actually, the traffic of ping can't be stopped because
it never "touch" my firewall machine. Please, look at
this following diagram:
----------------------------------------------------
topology
----------------------------------------------------
PC-EXT----PC-FIREWALL-------HUB-------PC-INT
| _/ |
| _/ |
| _/ |
| / |
PC-SENSOR PC-SERVERS
----------------------------------------------------
note:
----------------------------------------------------
- PC-EXT : outsider / external host
> 202.200.200.1
- PC-INT : internal client
> 10.1.1.10
- PC-FIREWALL : containing snortsam firewall agent
> 202.200.200.2
> 10.1.1.1
> 192.168.0.1
- PC-SENSOR : containing snort, barnyard, BASE, and
snortsam sensor agent
> 192.168.0.2
> 10.1.1.3
- PC-SERVERS : servers machine
> 10.1.1.2
PING command issued by PC-INT to PC-SERVERS.
Snort detecting and alerting the traffic and reporting
it to the agent of snortsam on the firewall machine.
Snortsam told the iptables to inserting a new rules on
INPUT and FORWARD chain as a result. But the traffic
it self still continue and always like that because in
this case, the traffic will not going to the
pc-firewall and it means that the blocking rules will
never affect the traffic.
Now, the previous problem was known. The new questions
arise, there are several questions that I have to ask.
First, how can I block the ping traffic issued by
PC-INT? in case, to block the intrusion that coming
from internal network segment (where the traffic it
self can't reach or have a communication with firewall
machine).
Second, is it possible to configuring snortsam to use
more than one interface to block traffic comming from
different segment of network, eg. one is used to block
the ping traffic issued by PC-EXT and one more is used
to block the ping traffic issued from internal network
PC-INT)?
thanks in advance
regard
Matt
> Rachmat Hidayat Al-Anshar wrote:
> > Hi Mark, thanks for replying ;)
> >
> >> Do the iptables rules created by Snortsam look
> >> correct?
> >
> > Here is what snortsam issued to iptables:
> > /sbin/iptables -I FORWARD -i eth1 -s 10.1.1.1 -j
> DROP
> > /sbin/iptables -I INPUT -i eth1 -s 10.1.1.1 -j
> DROP
> >
> > note:
> > - eth1 is the interface that located on where it
> could
> >
> > have an access to block the bad traffic inside the
> > net.
> > - 10.1.1.1 is source ip where ping issued.
> >
> >
> >> Can you manually create an ICMP rule that works
> as
> >> expected? How do the two rules differ?
> >
> > For testing purpose, I wrote this following rule:
> > alert icmp any any -> any any (msg:"test"; fwsam:
> src,
> > 1 minutes;)
> >
> > and snortsam still make the ping traffic flow like
>
> > a charm. :(
> > everything looks fine...
> > what should I do? please help :(
> >
> > this kind of problem didn't happened when I using
> > pre-patched snort (named snort-snortsam-2.7.0)..
> > is there any another pre-patched version of newer
> > version of snort? just want to know..
> >
> > Regard
> > Matt
> >
> >> -----Original Message-----
> >> From: snortsam-discussion-bounces at snortsam.net
> >> [mailto:snortsam-discussion-bounces at snortsam.net]
> On
> >> Behalf Of Rachmat
> >> Hidayat Al-Anshar
> >> Sent: Thursday, May 08, 2008 6:46 AM
> >> To: snortsam-discussion at snortsam.net
> >> Subject: Re: [Snortsam-discussion] Extending
> block
> >> for host issue
> >>
> >> I have been checked to see wheter iptables's rule
>
> >> exists after snortsam reports the block. As a
> result
> >>
> >> I find that those rules are exist.
> >>
> >> So, why the traffic of ping still continue if
> >> iptables
> >>
> >> really make a rules to block the source ip
> address?
> >> what should I do?
> >>
> >> I didn't find this kind of problem when I using
> the
> >> pre-patched snort (named as
> snort-snortsam-2.7.0).
> >> But, every time I try to patching the snort
> source
> >> distribution file with snortsam-patch file
> manually,
> >>
> >> this kind of problem always occur.
> >>
> >> Is it another snort pre patched for a latest
> stable
> >> version of snort (snort 2.8.0 or 2.8.1)???
> >>
> >> During the time working on implementation of IDS
> and
> >> active response with snort and snortsam, I've
> find
> >> so
> >> many part of information that I've missed. This
> kind
> >>
> >> of information, wasn't clearly described on
> README
> >> or another official manual. as an example, there
> is
> >> some warning or error messages that I have
> >> never been find when I applying the same process
> on
> >> Linux environment.
> >>
> >> Regarding to this, is there anyone who ever
> >> successfully applying snortsam on OpenBSD 4.2
> >> environment? please share your experience with
> me.
> >>
> >> or any kind of clear references (represented
> >> as a hot-to tutorial or some kind of a log
> created
> >> when you applying this process) on OpenBSD 4.2 ?!
>
> >>
> >> it would be great, if it can really saving my
> times.
> >>
> >> So, I really do need your help.
> >>
> >> Thanks in advance.
> >> Regard
> >> Matt
> >>
> >>
> >>> snortsam reports the block?
> >> --- Rachmat Hidayat Al-Anshar
> >> <rachmat_hidayat_02 at yahoo.com> wrote:
> >>
> >>> Hi Mark :)
> >>> Thanks for replying.
> >>>
> >>>> Is the iptables rule being created?
> >>> yes absolutely, I always "tailing" snortsam.log
> to
> >>> know what is really snortsam
> >>> doing. In snortsam.conf, clearly printed that
> >>> iptables successfully inserting
> >>> a new rules to the forward and input chains. I
> >> have
> >>> no idea but it seems
> >>> didn't work at all.
> >>>
> >>>> Have you checked to see if the rule exists
> after
> >>> snortsam reports the block?
> >>> I am not quite sure.. I'll check it for soon.
> >>>
> >>>> Have you tried using any other distribution?
> >>> Before using TSL, I using OpenBSD. Now i got
> >>> frustrated because no one
> >>> can help. Now I'm back using OpenBSD.
> >>>
> >>> Thanks in advance
> >>> Regard
> >>> Matt
> >>>
> >>>
> >>> Mark Clift <mark.clift at usitek.com> wrote:
> >>> Unfortunately I cannot offer much help as I am
> not
> >>> familiar with TSL but
> >>> have some questions.
> >>>
> >>> Best Regards,
> >>>
> >>> Mark
> >>>
> >>> -----Original Message-----
> >>> From: snortsam-discussion-bounces at snortsam.net
> >>>
> [mailto:snortsam-discussion-bounces at snortsam.net]
> >> On
> >>> Behalf Of Rachmat
> >>> Hidayat Al-Anshar
> >>> Sent: Monday, May 05, 2008 10:36 PM
> >>> To: rachmat_hidayat_02 at yahoo.com;
> >>> Snortsam-discussion at snortsam.net
> >>> Subject: Re: [Snortsam-discussion] Extending
> block
> >>> for host issue
> >>>
> >>> Hello?
> >>> Can anyone help me?
> >>> I do really need help here :'( . Until now,
> >>> snortsam's log file
> >>> still contain a lot of statement that the ip
> >> address
> >>> of attacker has
> >>> successfully blocked. But the traffic of ping it
> >>> self still well working
> >>> hitting the target. What should i do, so i can
> >>> really block the ping
>
=== message truncated ===
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
More information about the Snortsam-discussion
mailing list