Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Snort inline and QUEUE

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort inline and QUEUE


Posted by Shad on April 14, 2005 15:18:42

Hi,

I'm studing an snort inline ips solution for an ISP. Today I installed in one machine for testing in a semi production enviroment but when I redirect all INPUT traffic to QUEUE, snort doesn't accept any kind of traffic. But if I only send one port (ex. http) to QUEUE, it works. I'm using the latest version of snort.

These are my rules:

blackshadow:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
QUEUE tcp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED


Reading on groups I found some post talking about this, the solution was adding to snort.conf this line:

config checksum_mode: none

But it doesn't works for me :(

Somebody can help me a bit?? Thanks

Iñaki R.

P.D: Excuse my english

Posted by bfranklin on April 19, 2005 05:47:23

QUEUE your FORWARD chain, not your INPUT chain. Odds are you want to accept packets destined for the IPS itself and route the rest (after passing through snort-inline, of course)

Posted by TonyC on May 16, 2005 17:57:45


Here's my iptables rules... it also provides for some ping flood and syn flood DoS protection.
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
syn-flood tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
icmp-flood icmp -- 0.0.0.0/0 0.0.0.0/0
QUEUE udp -- 0.0.0.0/0 0.0.0.0/0
QUEUE icmp -- 0.0.0.0/0 0.0.0.0/0
QUEUE tcp -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain icmp-flood (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain syn-flood (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 50/sec burst 150
DROP all -- 0.0.0.0/0 0.0.0.0/0


save the following as a file... and run "iptables-restore < file"
# Generated by iptables-save v1.2.8 on Mon May 16 21:53:43 2005
*filter
:INPUT ACCEPT [60867:10059951]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18907:2559827]
:icmp-flood - [0:0]
:syn-flood - [0:0]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
-A FORWARD -p icmp -j icmp-flood
-A FORWARD -p udp -j QUEUE
-A FORWARD -p icmp -j QUEUE
-A FORWARD -p tcp -j QUEUE
-A icmp-flood -m limit --limit 1/sec -j RETURN
-A icmp-flood -j DROP
-A syn-flood -m limit --limit 50/sec --limit-burst 150 -j RETURN
-A syn-flood -j DROP
COMMIT
# Completed on Mon May 16 21:53:43 2005

Thanks,
-Tony

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.