| Will, Thats what I figured. So this should answer the question about why snort_inline is not dropping his packets. This means that in order to really make snort_inline work properly with reassembled packets.... we need to send inbound traffic through snort_inline as well. Should probably enter this as a ticket so I don't forget to make it happen :)
Thanks for your help,
Rob On Mar 12, 2008, at 12:24 AM, William Metcalf wrote: stream4 does need to see both sides of the conversation, the flow_to established stuff is actually coming out of stream4 (yeah I know, one would think that it comes from the flow preproc). If the rules have these keywords they will never fire because they didn't see the initial TWH. Hope this helps ;-)
Regards,
Will
<graycol.gif>Robert Mcmillen <[EMAIL PROTECTED]>
| | <ecblank.gif>
To | <ecblank.gif>
honeywall <[email protected]> | <ecblank.gif>
cc | <ecblank.gif>
William Metcalf <[EMAIL PROTECTED]> | <ecblank.gif>
Subject | <ecblank.gif>
Re: [Honeywall] Not able to get snort_inline working | | <ecblank.gif> | <ecblank.gif> | | There may be a few things going on here... 1. By default, the honeywall only sends outbound traffic through snort_inline if snort_inline is enabled. Does the flow plugin require both sides of the communications in order to determine its thing? If so, we may have to change the way the honeywall sends traffic through snort_inline. 2. Telnet is one of those protocols that has very small packets; therefore, the content you are searching for may reside within more than one packet. Did you try adding the enforce_state option to the stream4 preprocessor to the snort_inline.conf? preprocessor stream4: disable_evation_alerts enforce_state hmm.. number 1 may apply here as well.... does the stream4 plugin need to see both sides to track? You can test snort_inline with a very simply rule. drop tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg; "Dropping HOME_NET -> EXTERNAL_NET traffic") The project has not spent a lot of time trying to generate a good snort_inline ruleset. You are more than welcome to start/document research in this area. It would be a great help! Hope some of this helps... Will, please jump in if you see anything wrong or if you have any suggestions to improve the use of snort_inline in the honeywall. List, Anyone have some spare cycles to take a look at this issue? Rob On Mar 11, 2008, at 9:46 PM, Nandhini Thiagarajan wrote: Rob,
Based on your comments, i have pasted the rules i'm using and i ran the cmd - iptables -L -n -v | grep QUEUE
It provided the below output -
170 10199 QUEUE all -- * * 0.0.0.0./0 0.0.0.0/0
PHYSDEV match --physdev-in eth1 state RELATED,ESTABLISHED
0 0 QUEUE all -- * * 0.0.0.0./0 0.0.0.0/0
0 0 QUEUE all -- * * 0.0.0.0./0 0.0.0.0/0
2 96 QUEUE all -- * * 0.0.0.0./0 0.0.0.0/0
0 0 QUEUE all -- * * 0.0.0.0./0 0.0.0.0/0
I have this rule in /etc/snort/rules/telnet.rules
alert tcp $EXTERNAL_NET 23 -> $HOME_NET nay (msg;"TELNET client ENV OPT USERVAR information disclosure"; flow:to_client,established; content:"|FF FA|' |01 03|"; rawbytes; reference:bugtraq,13940; reference:cve,2005-1205; reference:url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx; classtype:attepmted-recon; sid:3687; rev:3;)
So in order to test snort_inline i went ahead and made the above rule as a drop rule in /etc/snort_inline/rules/telnet.rules
In /etc/snort_inline/rules/telnet.rules I have this rule now-
drop tcp $EXTERNAL_NET 23 -> $HOME_NET nay (msg;"TELNET client ENV OPT USERVAR information disclosure"; flow:to_client,established; content:"|FF FA|' |01 03|"; rawbytes; reference:bugtraq,13940; reference:cve,2005-1205; reference:url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx; classtype:attepmted-recon; sid:3687; rev:3;)
But i dont see any snort_inline alerts in Walleye for the above connection. Since i made it a drop rule in snort-inline, it should be dropping packets rite? Also not sure why making this as a drop rule in snort_inline is preventing me to login via telnet to honeypot systems. I was thinking that snort-inline is only dedicated to outbound connections from honeypots rite? and changing anything in snort_inline should not affect any inbound connections to Honeypot.
I'm kind of suck here. Does anyone have any suggestions?
Thanks for your help in advance,
Nandhini
Never miss a thing. Make Yahoo your homepage. _______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
|
