Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Support » snort killing active ssh / irc sessions?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

snort killing active ssh / irc sessions?


Posted by yueah on March 29, 2005 11:28:09

Hope someone can help me here, i've been banging my head against the keyboard so many times now that the printing on the keys is starting to rub off on my forehead :(

My goal is to not so much as firewall the clients, but just to prevent propagation of malicious activity such as worms and trojans to my network. I am running gentoo kernel 2.6.11r4, dedicated for this purpose.

I currently have the box up and running with iptables sending the traffic to snort_inline (doing this with 2 nics bridged to so it is transparent for the end users) with the command "iptables -A FORWARD -j QUEUE". my table currently looks like this:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
QUEUE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


snort loads without error and is logging traffic to the /var/log/snort_inline/ directory as it should. the rules were downloaded directly from this website last week and none of the rules are set to drop (only alert).

the problem is that when i have snort running, if i have a ssh connection (using putty) passing through the bridge and the session is idle for more than 1 minute it will cease to respond to keyboard input and a minute or two later i will get the error from putty stating that "software caused connection abort". same thing basically happens with an irc client connection. after a minute of inactivity the client will stop receiving data from the server and i end up with a "Disconnected" message, at which point the client promptly reconnects.

When i shut down snort and pull the line out of iptables i do not have this problem.

below is my iptables configuration when it's set to queue packets to snort:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
QUEUE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

i am pretty new to iptables and snort, and used a how-to at the gentoo.org site (http://forums.gentoo.org/viewtopic-t-169553-highlight-bridge+firewall.html) to get everything up and running.

thanks in advance for any and all who can help,

--Dave

Posted by etban on November 28, 2005 12:18:06

Are you SURE there is no drop rules set?
This characteristic when a packet is dropped from a established TCP session, that cause the session to be terminated.
Check your system resources, like CPU usage & free mem.
Also, check your netfilter/iptables version.
Update it could be a good thing to do.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.