[Snortsam-discussion] troubleshooting snortsam iplementation

Matt Jonkman jonkman at jonkmans.com
Fri May 16 07:29:16 EDT 2008 

The diagram you sent before showed that there wasn't a device inline 
between these. As explained, you have to be inline to block that traffic.

Matt


Rachmat Hidayat Al-Anshar wrote:
> I try to manually inserting this following rules
> (exactly like what snortsam does to iptables):
> 
> - iptables -I INPUT -i eth0 -s 202.200.200.1 -j DROP
> - iptables -I FORWARD -i eth0 -s 202.200.200.1 -j DROP
>  
> and I still got the same result. the traffic only 
> blocked when I ping to 202.200.200.2 from PC-EXT 
> (202.200.200.1), and when I ping to 10.1.1.2 (or 
> another machine inside the network) the result was
> disappointing me, the ping is still unblocked.
> 
> anyone, help me.. :'(
> best regard
> Matt
> 
> 
> 
> 
> --- Rachmat Hidayat Al-Anshar
> <rachmat_hidayat_02 at yahoo.com> wrote:
> 
>> Hi 
>>
>> I can't still find the way solving this, I try to 
>> monitor what does iptables doing with these command:
>> # gnuwatch -n 1 iptables -nvL
>>
>> and the result showing me that INPUT chain working
>> with no problem. Yep, I can't ping to 202.200.200.2,
>>
>> and the number of dropped packets are increasing.
>> and, when I try to ping to 10.1.1.2 (PC-SERVER), 
>> there is no packet dropped :(
>>
>> can anyone help me :(
>> regard
>> Matt
>>
>>
>>
>> --- Rachmat Hidayat Al-Anshar
>> <rachmat_hidayat_02 at yahoo.com> wrote:
>>
>>> Hi all 
>>>
>>> There is some problem that I have to ask regarding
>>> to my reasearch deploying snortsam. I think that I
>>> have been passed this thing out, but it didn't.
>>>
>>> I set my firewall with no rules at all (default 
>>> condition), to make sure that all connection could
>>> accepted and passed with no problem. The only
>> thing 
>>> that I've set is the value of ip_forward to 1.
>>>
>>> please look at this topology:
>>>
>>>
>> ----------------------------------------------------
>>> topology
>>>
>> ----------------------------------------------------
>>>
>>> PC-EXT----PC-FIREWALL-------HUB-------PC-INT
>>>                |          _/ |
>>>                |        _/   |
>>>                |      _/     |     
>>>                |     /       |     
>>> 	   PC-SENSOR     PC-SERVERS
>>>
>> ----------------------------------------------------
>>> note:
>>>
>> ----------------------------------------------------
>>> name          ip adress      description
>>>
>> ----------------------------------------------------
>>> - PC-EXT      202.200.200.1  outsider
>>>
>>> - PC-FIREWALL 202.200.200.2  snortsam firewall
>> agent
>>>               10.1.1.1
>>>               192.168.0.1
>>>             
>>> - PC-SENSOR   192.168.0.2    snort, barnyard, 
>>>               10.1.1.3       BASE, and snortsam 
>>>                               
>>> - PC-SERVERS  10.1.1.2       servers machine
>>>
>>>
>>> with this following simple icmp rules:
>>>
>>> alert icmp $EXT_NET any -> 10.1.1.2 any
>> (msg:"test";
>>> sid:100001; alert_fwsam: src, 2 minutes)
>>>
>>> I try to issuing ping from PC-EXT to 10.1.1.2,
>> then
>>> the event was successfully detected by snort and 
>>> snortsam successfully communicate with iptables
>> and 
>>> create this following rules:
>>> - iptables -I INPUT -i eth0 -s 202.200.200.1 -j
>> DROP
>>> - iptables -I FORWARD -i eth0 -s 202.200.200.1 -j
>>> DROP
>>>
>>> I set snortsam on external interface eth0 (IP 
>>> 202.200.200.2). I have checked and make sure that 
>>> blocking rules are exist, but something that I
>>> didn't 
>>> understand is why the ping traffic to 10.1.1.2 or 
>>> other ip behind firewall can't actually blocked ;(
>>> I try to ping 202.200.200.2 (eth0 firewall) from 
>>> 202.200.200.1 (pc-ext) and I got my traffic
>> blocked.
>>> what wrong with this, I just can't really
>> understand
>>> why this "iptables -I FORWARD -i eth1 -s
>>> 202.200.200.1
>>>
>>> -j DROP" iptables rule, seems didn't work?
>>>
>>> any help will greatly appreciated ;)
>>> Best regard
>>> Matt
>>>
>>>
>>>
>>>       
>>> _______________________________________________
>>> Snortsam-discussion mailing list
>>> Snortsam-discussion at snortsam.net
>>>
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>>
>>
>>       
>> _______________________________________________
>> Snortsam-discussion mailing list
>> Snortsam-discussion at snortsam.net
>>
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
> 
> 
> 
>       
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Snortsam-discussion mailing list