[Snortsam-discussion] troubleshooting snortsam iplementation
Rachmat Hidayat Al-Anshar
rachmat_hidayat_02 at yahoo.com
Fri May 16 05:39:26 EDT 2008
I try to manually inserting this following rules
(exactly like what snortsam does to iptables):
- iptables -I INPUT -i eth0 -s 202.200.200.1 -j DROP
- iptables -I FORWARD -i eth0 -s 202.200.200.1 -j DROP
and I still got the same result. the traffic only
blocked when I ping to 202.200.200.2 from PC-EXT
(202.200.200.1), and when I ping to 10.1.1.2 (or
another machine inside the network) the result was
disappointing me, the ping is still unblocked.
anyone, help me.. :'(
best regard
Matt
--- Rachmat Hidayat Al-Anshar
<rachmat_hidayat_02 at yahoo.com> wrote:
> Hi
>
> I can't still find the way solving this, I try to
> monitor what does iptables doing with these command:
> # gnuwatch -n 1 iptables -nvL
>
> and the result showing me that INPUT chain working
> with no problem. Yep, I can't ping to 202.200.200.2,
>
> and the number of dropped packets are increasing.
> and, when I try to ping to 10.1.1.2 (PC-SERVER),
> there is no packet dropped :(
>
> can anyone help me :(
> regard
> Matt
>
>
>
> --- Rachmat Hidayat Al-Anshar
> <rachmat_hidayat_02 at yahoo.com> wrote:
>
> > Hi all
> >
> > There is some problem that I have to ask regarding
> > to my reasearch deploying snortsam. I think that I
>
> > have been passed this thing out, but it didn't.
> >
> > I set my firewall with no rules at all (default
> > condition), to make sure that all connection could
> > accepted and passed with no problem. The only
> thing
> > that I've set is the value of ip_forward to 1.
> >
> > please look at this topology:
> >
> >
> ----------------------------------------------------
> >
> > topology
> >
> ----------------------------------------------------
> >
> >
> > PC-EXT----PC-FIREWALL-------HUB-------PC-INT
> > | _/ |
> > | _/ |
> > | _/ |
> > | / |
> > PC-SENSOR PC-SERVERS
> >
> ----------------------------------------------------
> >
> > note:
> >
> ----------------------------------------------------
> >
> > name ip adress description
> >
> ----------------------------------------------------
> > - PC-EXT 202.200.200.1 outsider
> >
> > - PC-FIREWALL 202.200.200.2 snortsam firewall
> agent
> > 10.1.1.1
> > 192.168.0.1
> >
> > - PC-SENSOR 192.168.0.2 snort, barnyard,
> > 10.1.1.3 BASE, and snortsam
> >
> > - PC-SERVERS 10.1.1.2 servers machine
> >
> >
> > with this following simple icmp rules:
> >
> > alert icmp $EXT_NET any -> 10.1.1.2 any
> (msg:"test";
> > sid:100001; alert_fwsam: src, 2 minutes)
> >
> > I try to issuing ping from PC-EXT to 10.1.1.2,
> then
> > the event was successfully detected by snort and
> > snortsam successfully communicate with iptables
> and
> > create this following rules:
> > - iptables -I INPUT -i eth0 -s 202.200.200.1 -j
> DROP
> > - iptables -I FORWARD -i eth0 -s 202.200.200.1 -j
> > DROP
> >
> > I set snortsam on external interface eth0 (IP
> > 202.200.200.2). I have checked and make sure that
> > blocking rules are exist, but something that I
> > didn't
> > understand is why the ping traffic to 10.1.1.2 or
> > other ip behind firewall can't actually blocked ;(
>
> >
> > I try to ping 202.200.200.2 (eth0 firewall) from
> > 202.200.200.1 (pc-ext) and I got my traffic
> blocked.
> >
> > what wrong with this, I just can't really
> understand
> > why this "iptables -I FORWARD -i eth1 -s
> > 202.200.200.1
> >
> > -j DROP" iptables rule, seems didn't work?
> >
> > any help will greatly appreciated ;)
> > Best regard
> > Matt
> >
> >
> >
> >
> > _______________________________________________
> > Snortsam-discussion mailing list
> > Snortsam-discussion at snortsam.net
> >
>
http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
> >
>
>
>
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
>
http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
More information about the Snortsam-discussion
mailing list