There may be a few things going on here...
1. By default, the honeywall only sends outbound traffic through
snort_inline if snort_inline is enabled. Does the flow plugin require
both sides of the communications in order to determine its thing? If
so, we may have to change the way the honeywall sends traffic through
snort_inline.
2. Telnet is one of those protocols that has very small packets;
therefore, the content you are searching for may reside within more
than one packet. Did you try adding the enforce_state option to the
stream4 preprocessor to the snort_inline.conf?
preprocessor stream4: disable_evation_alerts enforce_state
hmm.. number 1 may apply here as well.... does the stream4 plugin need
to see both sides to track?
You can test snort_inline with a very simply rule.
drop tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg; "Dropping HOME_NET ->
EXTERNAL_NET traffic")
The project has not spent a lot of time trying to generate a good
snort_inline ruleset. You are more than welcome to start/document
research in this area. It would be a great help!
Hope some of this helps...
Will,
please jump in if you see anything wrong or if you have any
suggestions to improve the use of snort_inline in the honeywall.
List,
Anyone have some spare cycles to take a look at this issue?
Rob
On Mar 11, 2008, at 9:46 PM, Nandhini Thiagarajan wrote:
Rob,
Based on your comments, i have pasted the rules i'm using and i ran
the cmd - iptables -L -n -v | grep QUEUE
It provided the below output -
170 10199 QUEUE all -- * * 0.0.0.0./0
0.0.0.0/0
PHYSDEV match --physdev-in eth1 state RELATED,ESTABLISHED
0 0 QUEUE all -- * *
0.0.0.0./0 0.0.0.0/0
0 0 QUEUE all -- * *
0.0.0.0./0 0.0.0.0/0
2 96 QUEUE all -- * *
0.0.0.0./0 0.0.0.0/0
0 0 QUEUE all -- * *
0.0.0.0./0 0.0.0.0/0
I have this rule in /etc/snort/rules/telnet.rules
alert tcp $EXTERNAL_NET 23 -> $HOME_NET nay (msg;"TELNET client
ENV OPT USERVAR information disclosure"; flow:to_client,established;
content:"|FF FA|' |01 03|"; rawbytes; reference:bugtraq,13940;
reference:cve,2005-1205; reference:url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx
; classtype:attepmted-recon; sid:3687; rev:3;)
So in order to test snort_inline i went ahead and made the above
rule as a drop rule in /etc/snort_inline/rules/telnet.rules
In /etc/snort_inline/rules/telnet.rules I have this rule now-
drop tcp $EXTERNAL_NET 23 -> $HOME_NET nay (msg;"TELNET client ENV
OPT USERVAR information disclosure"; flow:to_client,established;
content:"|FF FA|' |01 03|"; rawbytes; reference:bugtraq,13940;
reference:cve,2005-1205; reference:url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx
; classtype:attepmted-recon; sid:3687; rev:3;)
But i dont see any snort_inline alerts in Walleye for the above
connection. Since i made it a drop rule in snort-inline, it should
be dropping packets rite? Also not sure why making this as a drop
rule in snort_inline is preventing me to login via telnet to
honeypot systems. I was thinking that snort-inline is only dedicated
to outbound connections from honeypots rite? and changing anything
in snort_inline should not affect any inbound connections to Honeypot.
I'm kind of suck here. Does anyone have any suggestions?
Thanks for your help in advance,
Nandhini
Never miss a thing. Make Yahoo your homepage.
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
