Question to the list, Has anyone here had experience using Shorewall (multi-isp configuration) with Snort inline? First, is this possible? Second, if anyone has done this, what documentation, if any did they use to set it up? Third, does snort have to run inline on a firewall (I''m under the impression it does)?
On 10/20/05, Preston Kutzner <grdnwsl@mrichi.com> wrote:> Question to the list, > > Has anyone here had experience using Shorewall (multi-isp configuration) > with Snort inline? First, is this possible? Second, if anyone has done > this, what documentation, if any did they use to set it up? Third, does > snort have to run inline on a firewall (I''m under the impression it does)? >First of all, Shorewall isn''t a firewall, it merely configures the Linux firewall (iptables). Second, yes it''s very possible to use Snort w/ iptables, it''s done all the time. Third, as I recall, running inline is only one option and only necessary if you want Snort to be able to react to network activity. If it''s merely logging/alerting, I don''t think running inline with iptables is necessary. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Cyber Dog wrote:> On 10/20/05, Preston Kutzner <grdnwsl@mrichi.com> wrote: > >>Question to the list, >> >>Has anyone here had experience using Shorewall (multi-isp configuration) >>with Snort inline? First, is this possible? Second, if anyone has done >>this, what documentation, if any did they use to set it up? Third, does >>snort have to run inline on a firewall (I''m under the impression it does)? >> > > > First of all, Shorewall isn''t a firewall, it merely configures the > Linux firewall (iptables).Yes, I know this. If you read my post, I do not call Shorewall a firewall, I was questioning whether or not anyone has run Snort inline with Shorewall, as well as questioning whether or not Snort inline needed to be run in "inline" mode while on a firewall. It isn''t necessarily clear from the documentation I''ve found.> > Second, yes it''s very possible to use Snort w/ iptables, it''s done all the time. > > Third, as I recall, running inline is only one option and only > necessary if you want Snort to be able to react to network activity. > If it''s merely logging/alerting, I don''t think running inline with > iptables is necessary.Thanks for the tip. That answer''s my main question. The idea of snort being able to pro-actively modify iptables in response to attacks is intriguing, but a project for another day.
On 10/21/05, Preston Kutzner <grdnwsl@mrichi.com> wrote:> Cyber Dog wrote: > > On 10/20/05, Preston Kutzner <grdnwsl@mrichi.com> wrote: > > > >>Question to the list, > >> > >>Has anyone here had experience using Shorewall (multi-isp configuration) > >>with Snort inline? First, is this possible? Second, if anyone has done > >>this, what documentation, if any did they use to set it up? Third, does > >>snort have to run inline on a firewall (I''m under the impression it does)? > >> > > > > > > First of all, Shorewall isn''t a firewall, it merely configures the > > Linux firewall (iptables). > > Yes, I know this. If you read my post, I do not call Shorewall a > firewall, I was questioning whether or not anyone has run Snort inline > with Shorewall, as well as questioning whether or not Snort inline > needed to be run in "inline" mode while on a firewall. It isn''t > necessarily clear from the documentation I''ve found. > >I did read your post, but it doesn''t make sense to say "run snort inline with shorewall" in any other context. Shorewall is not a persistent program, as you probably know, it executes once to configure iptables and exits. Therefore it''s really quite illogical to suggest running anything in tandem with it. If you were trying to express running the two on the same system, then I think its just a problem of wording, because saying "inline" is way too easily confused with inline mode in Snort. So semantics aside, Snort does not interact at all with shorewall, they''re totally separate. This means they can be run just fine in any combination on an iptables system. ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
On Fri, Oct 21, 2005 at 09:42:52PM -0400, Cyber Dog wrote:> So semantics aside, Snort does not interact at all with shorewall, > they''re totally separate. This means they can be run just fine in any > combination on an iptables system.It might be reasonable to say that you use shorewall to limit whart ports are available to whom, and snort to watch if anyone attacks that which is available. -Jason Martin -- This message is PGP/MIME signed.
Cyber Dog wrote:> If you were trying to > express running the two on the same system, then I think its just a > problem of wording, because saying "inline" is way too easily confused > with inline mode in Snort. > > So semantics aside, Snort does not interact at all with shorewall, > they''re totally separate. This means they can be run just fine in any > combination on an iptables system. >It is my understanding that Snort Inline requires that all traffic processed by Snort be targeted to QUEUE in Netfilter. If that is so, then Shorewall and Snort Inline are not independent and different versions of Shorewall have different abilities to QUEUE traffic to Snort. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
That understanding is correct. I began using shorewall to configure QUEUE rules in Netfilter and have been running a firewall (configured with shorewall) and snort inline on the same box now for 142 days (at last uptime) but I have rebooted a few times since it was put in place. Tom was nice enough in an earlier version to update some code to allow us to do this. The best part of the setup is the choice of what snort see''s. If I have some traffice that is going to be a pain in snort but I know isn''t bad traffic then I just write an ACCEPT rule but for instance for my webserver I QUEUE the traffic and let snort check it and make the decision. All that being said, I''m very happy with the setup and would recommend it, however I''m still quite a bit of a NOOB and can''t get to in depth about it so beyond getting it up and working I haven''t written down any HOW-TO. I would be happy to help someone else get something like this going, simply so that I have someone to ask questions about it and to say, "Do you think this is a good thing??". Basically I''m running Fedora Core 2 minimal install then installed the bridge code Shorewall version 2.2.2 with a modified firewall script that Tom provided back when this version was supported and when a question was asked about getting snort inline to work with shorewall rules In the modules file I''ve added ip_queue I''m running snort 2.x.x (can''t remember the version but it was the first that supported inline) Getting it to work was a bit of a hack and I''m surprised I actually got it going. If someone would like to email off list about this more I''d be happy to help. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, October 21, 2005 9:09 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorwall with Snort inline, question. Cyber Dog wrote:> If you were trying to > express running the two on the same system, then I think its just a > problem of wording, because saying "inline" is way too easily confused> with inline mode in Snort. > > So semantics aside, Snort does not interact at all with shorewall, > they''re totally separate. This means they can be run just fine in any > combination on an iptables system. >It is my understanding that Snort Inline requires that all traffic processed by Snort be targeted to QUEUE in Netfilter. If that is so, then Shorewall and Snort Inline are not independent and different versions of Shorewall have different abilities to QUEUE traffic to Snort. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Thibodeau, Jamie L. wrote:> That understanding is correct. I began using shorewall to configure > QUEUE rules in Netfilter and have been running a firewall (configured > with shorewall) and snort inline on the same box now for 142 days (at > last uptime) but I have rebooted a few times since it was put in place. > Tom was nice enough in an earlier version to update some code to allow > us to do this. The best part of the setup is the choice of what snort > see''s. If I have some traffice that is going to be a pain in snort but > I know isn''t bad traffic then I just write an ACCEPT rule but for > instance for my webserver I QUEUE the traffic and let snort check it and > make the decision.It''s good to hear that someone has it up and working> > All that being said, I''m very happy with the setup and would recommend > it, however I''m still quite a bit of a NOOB and can''t get to in depth > about it so beyond getting it up and working I haven''t written down any > HOW-TO. I would be happy to help someone else get something like this > going, simply so that I have someone to ask questions about it and to > say, "Do you think this is a good thing??". > > Basically I''m running > > Fedora Core 2 minimal install then installed the bridge code > Shorewall version 2.2.2 with a modified firewall script that Tom > provided back when this version was supported and when a question was > asked about getting snort inline to work with shorewall rules > In the modules file I''ve added ip_queue > I''m running snort 2.x.x (can''t remember the version but it was the first > that supported inline)Well, thankfully I''m in a somewhat decent position to work on this with newer tools, so to speak. We''re looking to implement a revised firewall setup from the one we have now. As such, I''m looking to implement the latest version of Shorewall most likely the 3.x line as soon as it''s "official" (although I''m experimenting with the PR version) along with the latest version of Snort. That brings me to a couple of questions for you, however. What hardware set-up are you running this on? Our network averages over 1GB/day throughput (which isn''t that much realitve to most other sites, I''m sure) and we tend to saturate our T1 on a somewhat regular basis. So, I just want to make sure I''m using hardware with high enough specs. This box would most likely be running Ntop, Squid, Snort and IPtables all at once. So, I want to make sure I have enough machine and some to spare.> > Getting it to work was a bit of a hack and I''m surprised I actually got > it going. > > If someone would like to email off list about this more I''d be happy to > help.As soon as I can get Snort to compile correctly on my test box, I might be picking your brain. ;)
Getting snort to compile was the challenge. I''m not sure which distro your using but I had to recreate the link to the kernel headers to get snort to compile right, pointing them to the devel headers -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Preston Kutzner Sent: Tuesday, October 25, 2005 1:27 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorwall with Snort inline, question. Thibodeau, Jamie L. wrote:> That understanding is correct. I began using shorewall to configure > QUEUE rules in Netfilter and have been running a firewall (configured > with shorewall) and snort inline on the same box now for 142 days (at > last uptime) but I have rebooted a few times since it was put inplace.> Tom was nice enough in an earlier version to update some code to allow> us to do this. The best part of the setup is the choice of what snort > see''s. If I have some traffice that is going to be a pain in snort > but I know isn''t bad traffic then I just write an ACCEPT rule but for > instance for my webserver I QUEUE the traffic and let snort check it > and make the decision.It''s good to hear that someone has it up and working> > All that being said, I''m very happy with the setup and would recommend> it, however I''m still quite a bit of a NOOB and can''t get to in depth > about it so beyond getting it up and working I haven''t written down > any HOW-TO. I would be happy to help someone else get something like > this going, simply so that I have someone to ask questions about it > and to say, "Do you think this is a good thing??". > > Basically I''m running > > Fedora Core 2 minimal install then installed the bridge code Shorewall> version 2.2.2 with a modified firewall script that Tom provided back > when this version was supported and when a question was asked about > getting snort inline to work with shorewall rules In the modules file > I''ve added ip_queue I''m running snort 2.x.x (can''t remember the > version but it was the first that supported inline)Well, thankfully I''m in a somewhat decent position to work on this with newer tools, so to speak. We''re looking to implement a revised firewall setup from the one we have now. As such, I''m looking to implement the latest version of Shorewall most likely the 3.x line as soon as it''s "official" (although I''m experimenting with the PR version) along with the latest version of Snort. That brings me to a couple of questions for you, however. What hardware set-up are you running this on? Our network averages over 1GB/day throughput (which isn''t that much realitve to most other sites, I''m sure) and we tend to saturate our T1 on a somewhat regular basis. So, I just want to make sure I''m using hardware with high enough specs. This box would most likely be running Ntop, Squid, Snort and IPtables all at once. So, I want to make sure I have enough machine and some to spare.> > Getting it to work was a bit of a hack and I''m surprised I actually > got it going. > > If someone would like to email off list about this more I''d be happy > to help.As soon as I can get Snort to compile correctly on my test box, I might be picking your brain. ;) ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information