[Snortsam-discussion] troubleshooting snortsam iplementation
Rachmat Hidayat Al-Anshar
rachmat_hidayat_02 at yahoo.com
Sat May 17 11:29:19 EDT 2008
Hi again Matt ;)
Yesterday I have read "Snort IDS and IPS Toolkit" book
written by Toby Kohlenberg.
Chapter 11 on that book talking about Active Response
(page 563-586). That part of chapter show how Snortsam
protect a network from two specific attacks:
- the first against a Web server
The Web server attack is derived from SID 807
(identified as a WEB-CGI /wwwboard/passwd.txt access).
- the second against an NFS server
The NFS attack is derived from SID 316
(identified as an EXPLOIT x86 Linux mountd overflow).
The topology used for attack simulations, seems quite
similar with that I've used for research. In that
simulation, snortsam blocking agent on firewall
machine really make it to block the bad traffic coming
from
PC-EXT to web or NFS server.
the simulations described on that part of chapter 11
clearly informing that it's possible to use snortsam
instead inline snort to block the bad traffic
coming from PC-EXT to internal PC-SERVER through
PC-FIREWALL (not to take sensor inline with traffic).
Something that I want to ask is, why you telling me
that I have to set the sensor inline with the bad
traffic that have to blocked?
Thanks in advance
Matt
--- Rachmat Hidayat Al-Anshar
<rachmat_hidayat_02 at yahoo.com> wrote:
> Hi Matt, thanks for replying ;)
>
> > The diagram you sent before showed that there
> wasn't
> > a device inline between these.
>
> Yep, I am intentionally applying Snort not as an
> inline
> sensor. I wondering that sensor have an attention to
>
> monitoring PC-SERVERS.
>
>
> > As explained, you have to be inline
> > to block that traffic.
>
> Is it any other way to make my work become possible,
> with didn't applying sensor as an inline sensor, but
> I can still block any "bad" traffic from PC-EXT?
>
> thanks in advance
> best regard
> Matt
>
>
>
> --- Matt Jonkman <jonkman at jonkmans.com> wrote:
>
> > The diagram you sent before showed that there
> wasn't
> > a device inline
> > between these. As explained, you have to be inline
> > to block that traffic.
> >
> > Matt
> >
> >
> > Rachmat Hidayat Al-Anshar wrote:
> > > I try to manually inserting this following rules
> > > (exactly like what snortsam does to iptables):
> > >
> > > - iptables -I INPUT -i eth0 -s 202.200.200.1 -j
> > DROP
> > > - iptables -I FORWARD -i eth0 -s 202.200.200.1
> -j
> > DROP
> > >
> > > and I still got the same result. the traffic
> only
> > > blocked when I ping to 202.200.200.2 from PC-EXT
>
> > > (202.200.200.1), and when I ping to 10.1.1.2 (or
>
> > > another machine inside the network) the result
> was
> > > disappointing me, the ping is still unblocked.
> > >
> > > anyone, help me.. :'(
> > > best regard
> > > Matt
> > >
> > >
> > >
> > >
> > > --- Rachmat Hidayat Al-Anshar
> > > <rachmat_hidayat_02 at yahoo.com> wrote:
> > >
> > >> Hi
> > >>
> > >> I can't still find the way solving this, I try
> to
> >
> > >> monitor what does iptables doing with these
> > command:
> > >> # gnuwatch -n 1 iptables -nvL
> > >>
> > >> and the result showing me that INPUT chain
> > working
> > >> with no problem. Yep, I can't ping to
> > 202.200.200.2,
> > >>
> > >> and the number of dropped packets are
> increasing.
> > >> and, when I try to ping to 10.1.1.2
> (PC-SERVER),
> > >> there is no packet dropped :(
> > >>
> > >> can anyone help me :(
> > >> regard
> > >> Matt
> > >>
> > >>
> > >>
> > >> --- Rachmat Hidayat Al-Anshar
> > >> <rachmat_hidayat_02 at yahoo.com> wrote:
> > >>
> > >>> Hi all
> > >>>
> > >>> There is some problem that I have to ask
> > regarding
> > >>> to my reasearch deploying snortsam. I think
> that
> > I
> > >>> have been passed this thing out, but it
> didn't.
> > >>>
> > >>> I set my firewall with no rules at all
> (default
> > >>> condition), to make sure that all connection
> > could
> > >>> accepted and passed with no problem. The only
> > >> thing
> > >>> that I've set is the value of ip_forward to 1.
> > >>>
> > >>> please look at this topology:
> > >>>
> > >>>
> > >>
> >
> ----------------------------------------------------
> > >>> topology
> > >>>
> > >>
> >
> ----------------------------------------------------
> > >>>
> > >>> PC-EXT----PC-FIREWALL-------HUB-------PC-INT
> > >>> | _/ |
> > >>> | _/ |
> > >>> | _/ |
> > >>> | / |
> > >>> PC-SENSOR PC-SERVERS
> > >>>
> > >>
> >
> ----------------------------------------------------
> > >>> note:
> > >>>
> > >>
> >
> ----------------------------------------------------
> > >>> name ip adress description
> > >>>
> > >>
> >
> ----------------------------------------------------
> > >>> - PC-EXT 202.200.200.1 outsider
> > >>>
> > >>> - PC-FIREWALL 202.200.200.2 snortsam firewall
> > >> agent
> > >>> 10.1.1.1
> > >>> 192.168.0.1
> > >>>
> > >>> - PC-SENSOR 192.168.0.2 snort, barnyard,
> > >>> 10.1.1.3 BASE, and
> snortsam
> > >>>
> > >>> - PC-SERVERS 10.1.1.2 servers machine
> > >>>
> > >>>
> > >>> with this following simple icmp rules:
> > >>>
> > >>> alert icmp $EXT_NET any -> 10.1.1.2 any
> > >> (msg:"test";
> > >>> sid:100001; alert_fwsam: src, 2 minutes)
> > >>>
> > >>> I try to issuing ping from PC-EXT to 10.1.1.2,
> > >> then
> > >>> the event was successfully detected by snort
> and
> >
> > >>> snortsam successfully communicate with
> iptables
> > >> and
> > >>> create this following rules:
> > >>> - iptables -I INPUT -i eth0 -s 202.200.200.1
> -j
> > >> DROP
> > >>> - iptables -I FORWARD -i eth0 -s 202.200.200.1
> > -j
> > >>> DROP
> > >>>
> > >>> I set snortsam on external interface eth0 (IP
> > >>> 202.200.200.2). I have checked and make sure
> > that
> > >>> blocking rules are exist, but something that I
> > >>> didn't
> > >>> understand is why the ping traffic to 10.1.1.2
> > or
> > >>> other ip behind firewall can't actually
> blocked
> > ;(
> > >>> I try to ping 202.200.200.2 (eth0 firewall)
> from
> >
> > >>> 202.200.200.1 (pc-ext) and I got my traffic
> > >> blocked.
> > >>> what wrong with this, I just can't really
> > >> understand
> > >>> why this "iptables -I FORWARD -i eth1 -s
> > >>> 202.200.200.1
>
=== message truncated ===
More information about the Snortsam-discussion
mailing list