Hello all,
Has anyone used the Snort inline functionality with Shorewall? I''m
currently in the process of rebuilding my router and whilst looking
through some Snort docs I noticed that you can use Snort inline to drop
packets that match rules in Snort based on rules that analyse traffic
streams. An example I saw was to drop packets from any IP address that
attempts to access http://<some_address>/php.exe. I can see how this
could be a nice feature as part of an intrusion prevention system. I
can also see how it could be a real pain if a Snort rule gets triggered
by innocuous behaviour and blocks access to services for valid users.
I''d be interested to hear any real world experiences, opinions, etc.
If anyone has used the Snort inline functionality how did they configure
Shorewall? There''s an entry in the Shorewall 3.0 FAQ but the blog it
links to no longer exists
(http://www.shorewall.net/3.0/FAQ.htm#id2533169). I''ve found a message
in the shorewall-users mailing list from Michael W Cocke dated
2006-09-08 03:08 (subject Shorewall & snort-inline) which states that
setting the destination to QUEUE is all that''s needed. I have a
webserver on my DMZ so I have a HTTP/DNAT rule to forward packets to the
webserver:
HTTP/DNAT net dmz:10.100.0.4 TCP 80 -
<one_of_my_ip_addresses>
How do I modify that rule to pass the packets to Snort inline for
inspection prior to being passed on to the webserver? Do I need two
rules? One to send to Snort inline and then another subsequent rule to
forward to the webserver? I''m not clear on how packets are sent to
Snort inline for inspection and then passed back to Shorewall in order
(in my example) to be forwarded on to a webserver.
Kind regards,
Steve.
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
lists_shorewall wrote:> Has anyone used the Snort inline functionality with Shorewall?I haven''t> > How do I modify that rule to pass the packets to Snort inline for > inspection prior to being passed on to the webserver? Do I need two > rules? One to send to Snort inline and then another subsequent rule to > forward to the webserver? I''m not clear on how packets are sent to > Snort inline for inspection and then passed back to Shorewall in order > (in my example) to be forwarded on to a webserver.That question is a bit troubling as it implies that you think that Shorewall handles packets. Shorewall (whether Shorewall-perl or Shorewall-shell) results in a SHELL PROGRAM that configures your kernel; Shorewall itself never touches a packet. But back to your question... A DNAT rule in Shorewall results it two equivalent rules. The following are equivalent: DNAT net dmz:10.100.0.4 TCP 80 - 206.124.146.180 DNAT- net dmz:10.100.0.4 tcp 80 - 206.124.146.180 ACCEPT net dmz:10.100.0.4 tcp 80 - 206.124.146.180 Notes: 1) your original rule is a little silly -- HTTP/<anything> implies ''tcp 80'' so it is redundant to repeat those elements) 2) in Shorewall-perl 4.2, you may omit the zone (dmz:) before the destination DEST address in the DNAT- rule; in fact, the above DNAT- rule will generate a warning. So if you want to send the accepted packets to the QUEUE target, you just code this: DNAT- net dmz:10.100.0.4 tcp 80 - 206.124.146.180 QUEUE net dmz:10.100.0.4 tcp 80 - 206.124.146.180 BUT.... that pair of rules only determines what happens to THE FIRST PACKET IN A CONNECTION to port 80. If you want to pass all incoming packets in a connection to Snort Inline (high latency?) then you need to add the second rule to the ESTABLISHED section of the rules file in addition to the NEW section. That is required in order for Snort-inline to notice that the remote criminals are trying to access 206.124.146.180/php.exe... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Tom Eastep wrote:> lists_shorewall wrote: > >> Has anyone used the Snort inline functionality with Shorewall? > > I haven''t > >> >> How do I modify that rule to pass the packets to Snort inline for >> inspection prior to being passed on to the webserver? Do I need two >> rules? One to send to Snort inline and then another subsequent rule to >> forward to the webserver? I''m not clear on how packets are sent to >> Snort inline for inspection and then passed back to Shorewall in order >> (in my example) to be forwarded on to a webserver. > > That question is a bit troubling as it implies that you think that > Shorewall > handles packets. Shorewall (whether Shorewall-perl or Shorewall-shell) > results in a SHELL PROGRAM that configures your kernel; Shorewall itself > never touches a packet.I''m well aware that Shorewall creates a set of iptables rules. In fact, prior to sending my original email to this list I had been looking at the rules created by Shorewall-perl by issuing the command iptables -L. Forgive my slip of the tongue/fingers.> > But back to your question... > > A DNAT rule in Shorewall results it two equivalent rules. The > following are > equivalent: > > DNAT net dmz:10.100.0.4 TCP 80 - 206.124.146.180 > > DNAT- net dmz:10.100.0.4 tcp 80 - 206.124.146.180 > ACCEPT net dmz:10.100.0.4 tcp 80 - 206.124.146.180 > > Notes: > > 1) your original rule is a little silly -- HTTP/<anything> implies > ''tcp 80'' so it is redundant to repeat those elements)True and duly noted.> 2) in Shorewall-perl 4.2, you may omit the zone (dmz:) before the > destination DEST address in the DNAT- rule; in fact, the above DNAT- > rule will generate a warning. > > So if you want to send the accepted packets to the QUEUE target, you just > code this: > > DNAT- net dmz:10.100.0.4 tcp 80 - 206.124.146.180 > QUEUE net dmz:10.100.0.4 tcp 80 - 206.124.146.180 > > BUT.... that pair of rules only determines what happens to THE FIRST > PACKET > IN A CONNECTION to port 80. If you want to pass all incoming packets in a > connection to Snort Inline (high latency?) then you need to add the > second rule to the ESTABLISHED section of the rules file in addition > to the NEW section. That is required in order for Snort-inline to > notice that the remote criminals are trying to access > 206.124.146.180/php.exe... >Thanks for the explanation. I assume there''s no way to preserve any iptables rules created by snort inline across reboots of the router or restarts of Shorewall? I haven''t looked at Snort inline in a great level of detail so maybe there''s a way to capture the IP addresses that Snort inline determines should be blocked and incorporate them into a blacklist file. That''s not a feature request, just thinking out loud... Regards, Steve. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php