Thibodeau, Jamie L.
2005-Mar-30 13:26 UTC
RE: Shorewall and an inline IDS (snort-inline orhogwash)
I made an atempt to run snort_inline and shorewall on the same system but I could not get snort to see the packets. Maybe someone with a little more iptables knowledge could tell me what I''m doing wrong or if its possible to have the systems setup so that it places packets that the firewall would allow into QUEUE. After setting up and starting shorewall I then issue the following (assuming that ip_queue module is loaded) iptables -A INPUT -i br0 -j QUEUE iptables -A FORWARD -i br0 -j QUEUE Running snort -Qv shows that snort isn''t seeing any packets but everything can pass by the box. On a box running just snort it sees everything. What I ended up doing was running two inline boxes, one firewall, one IPS. So far everything is working well and I''d be happy to share my experience setting up snort-inline as its not easy to find much out there on it. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of mynullvoid Sent: Tuesday, March 29, 2005 9:34 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall and an inline IDS (snort-inline orhogwash) If I am not mistaken snort-inline is already in snort 2.3.2 --- Michael W Cocke <cocke@catherders.com> wrote:> Is anyone using an inline IDS like hogwash or snort-inline to drop > packets in a system running shoreline? I _think_ I see how to > configure it, but I''d be really interested in finding a howto or > something... > > Thanks! > > Mike- > > -- > Mornings: Evolution in action. Only the grumpy will survive. > -- > > Please note - Due to the intense volume of spam, we have installed > site-wide spam filters at catherders.com. If email from you bounces,> try non-HTML, non-encoded, non-attachments. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >__________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Thibodeau, Jamie L. wrote:> I made an atempt to run snort_inline and shorewall on the same system > but I could not get snort to see the packets. > > Maybe someone with a little more iptables knowledge could tell me what > I''m doing wrong or if its possible to have the systems setup so that it > places packets that the firewall would allow into QUEUE. >There is no way to do that currently with Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Thibodeau, Jamie L. wrote: > >>I made an atempt to run snort_inline and shorewall on the same system >>but I could not get snort to see the packets. >> >>Maybe someone with a little more iptables knowledge could tell me what >>I''m doing wrong or if its possible to have the systems setup so that it >>places packets that the firewall would allow into QUEUE. >> > > > There is no way to do that currently with Shorewall. >However, it only took a few lines of code to make it possible. In CVS (Shorewall/) you will find a ''firewall'' script that allows QUEUE as a policy in /etc/shorewall/policies. That, together with the QUEUE action in the rules file, should allow you to do what you want. The change is based on version 2.2.2 and will be included in 2.2.3 which will come out in a couple of weeks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Michael W Cocke
2005-Mar-30 16:18 UTC
Re: Shorewall and an inline IDS (snort-inline orhogwash)
On Wed, 30 Mar 2005 07:11:10 -0800, you wrote:>Tom Eastep wrote: >> Thibodeau, Jamie L. wrote: >> >>>I made an atempt to run snort_inline and shorewall on the same system >>>but I could not get snort to see the packets. >>> >>>Maybe someone with a little more iptables knowledge could tell me what >>>I''m doing wrong or if its possible to have the systems setup so that it >>>places packets that the firewall would allow into QUEUE. >>> >> >> >> There is no way to do that currently with Shorewall. >> > >However, it only took a few lines of code to make it possible. > >In CVS (Shorewall/) you will find a ''firewall'' script that allows QUEUE >as a policy in /etc/shorewall/policies. That, together with the QUEUE >action in the rules file, should allow you to do what you want. > >The change is based on version 2.2.2 and will be included in 2.2.3 which >will come out in a couple of weeks. > >-TomFantastic - Thanks! Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
Thibodeau, Jamie L.
2005-Mar-30 16:24 UTC
RE: Shorewall and an inline IDS (snort-inline orhogwash)
2.3.2 does have it. If you check the --help you''ll see a -Q that tells snort to look at packets from iptables instead of pcap. Once you have the shorewall stuff in place you run snort with -Qv you will see the packets that snort sees -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Michael W Cocke Sent: Wednesday, March 30, 2005 10:15 AM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Shorewall and an inline IDS (snort-inline orhogwash) On Tue, 29 Mar 2005 19:33:51 -0800 (PST), you wrote:>If I am not mistaken snort-inline is already in snort >2.3.2The executable isn''t and the online snort docs don''t mention anything about the capability. I''ve got Snort running now in tandem with Shorewall 2.2, but I''m VERY interested in adding the ''drop packet'' capability. As I read the docs, since Shorewall is essentially using iptables, it should be doable, but I was hoping to find some more info. Guess I''ll hack around with it tomorrow and see if I let the smoke out. Mike-> > >--- Michael W Cocke <cocke@catherders.com> wrote: >> Is anyone using an inline IDS like hogwash or snort-inline to drop >> packets in a system running shoreline? I _think_ I see how to >> configure it, but I''d be really interested in finding a howto or >> something... >> >> Thanks! >> >> Mike- >> >> -- >> Mornings: Evolution in action. Only the grumpy will survive. >> -- >> >> Please note - Due to the intense volume of spam, we have installed >> site-wide spam filters at catherders.com. If email from you >> bounces, try non-HTML, non-encoded, non-attachments. >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> >https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> > > > >__________________________________ >Do you Yahoo!? >Yahoo! Small Business - Try our new resources site! >http://smallbusiness.yahoo.com/resources/ >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm-- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Jaime Nebrera
2005-Mar-30 16:33 UTC
Re: Shorewall and an inline IDS (snort-inline orhogwash)
Hi Tom,> >In CVS (Shorewall/) you will find a ''firewall'' script that allows QUEUE > >as a policy in /etc/shorewall/policies. That, together with the QUEUE > >action in the rules file, should allow you to do what you want. > > > >The change is based on version 2.2.2 and will be included in 2.2.3 which > >will come out in a couple of weeks.Great !!! Fantastic ! Gorgeous ! BTW, do you mean its already available to do this in the "Rules" file and that this patch applies to the "Policies" side only? Regards -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL Telf.- 95 455 40 62 - 619 04 55 18
On Wed, 30 Mar 2005, Jaime Nebrera wrote:> > BTW, do you mean its already available to do this in the "Rules" file > and that this patch applies to the "Policies" side only? >That is correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Michael W Cocke
2005-Mar-30 16:46 UTC
Re: Shorewall and an inline IDS (snort-inline orhogwash)
On Wed, 30 Mar 2005 10:24:37 -0600, you wrote:>2.3.2 does have it. If you check the --help you''ll see a -Q that tells >snort to look at packets from iptables instead of pcap. Once you have >the shorewall stuff in place you run snort with -Qv you will see the >packets that snort seesI missed it before, thanks for pointing it out to me! Guess my eyes must be going. Mike-> >-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of >Michael W Cocke >Sent: Wednesday, March 30, 2005 10:15 AM >To: Mailing List for Shorewall Users >Subject: Re: [Shorewall-users] Shorewall and an inline IDS (snort-inline >orhogwash) > >On Tue, 29 Mar 2005 19:33:51 -0800 (PST), you wrote: > >>If I am not mistaken snort-inline is already in snort >>2.3.2 > >The executable isn''t and the online snort docs don''t mention anything >about the capability. > >I''ve got Snort running now in tandem with Shorewall 2.2, but I''m VERY >interested in adding the ''drop packet'' capability. As I read the docs, >since Shorewall is essentially using iptables, it should be doable, but >I was hoping to find some more info. Guess I''ll hack around with it >tomorrow and see if I let the smoke out. > >Mike- > >> >> >>--- Michael W Cocke <cocke@catherders.com> wrote: >>> Is anyone using an inline IDS like hogwash or snort-inline to drop >>> packets in a system running shoreline? I _think_ I see how to >>> configure it, but I''d be really interested in finding a howto or >>> something... >>> >>> Thanks! >>> >>> Mike- >>> >>> -- >>> Mornings: Evolution in action. Only the grumpy will survive. >>> -- >>> >>> Please note - Due to the intense volume of spam, we have installed >>> site-wide spam filters at catherders.com. If email from you >>> bounces, try non-HTML, non-encoded, non-attachments. >>> _______________________________________________ >>> Shorewall-users mailing list >>> Post: Shorewall-users@lists.shorewall.net >>> Subscribe/Unsubscribe: >>> >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>> Support: http://www.shorewall.net/support.htm >>> FAQ: http://www.shorewall.net/FAQ.htm >>> >> >> >> >>__________________________________ >>Do you Yahoo!? >>Yahoo! Small Business - Try our new resources site! >>http://smallbusiness.yahoo.com/resources/ >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >>https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm > >-- >Mornings: Evolution in action. Only the grumpy will survive.-- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.