Maybe this has been asked, answered, talked about before, so I apologize in
advance if it has.
I am currently running a fairly standard Honeyroo setup. Honeypot has 3 nic
cards, eth0, eth1, eth2, in the default config. I have 2 honeypots setup
behind it, connected via a switch to eth1.
Recently, I've tried to get snort-inline running. I am new to snort in
general, but I believe I have a ok understanding of how things are supposed
to work.
From what I can tell, for some reason snort is letting all incoming packets
be accepted without filtering them.
If I stop snort-inline, all honeypot traffic outgoing and incoming stops.
So, I am fairly certain my "QUEUES" are setup correctly iptables has 100%
been configured by honeyroo scripts, I have not hand modified it in anyway,
just configured through the menu interface. While in the walleye firewall
status webpage I see continually increasing numbers next to both incoming
and outgoing QUEUE rules.
As soon as I turn snort back on packets start flowing in both directions
again. Outgoing packets are being alerted, dropped, etc correctly. But
snort-inline doesn't even seem to acknowledge incoming packets. They just
get accepted, with no information. Below is a brief output of running
snort-inline -v. It seems snort is only processing the outgoing stream and
not even displaying the incoming.... My servers IP has been removed.
Any Ideas?
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/30-04:28:27.229924 MY_HONEYPOT_IP:53 -> 121.167.11.2:31611
UDP TTL:128 TOS:0x0 ID:53822 IpLen:20 DgmLen:70
Len: 42
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/30-04:28:32.402667 MY_HONEYPOT_IP:2145 -> 58.65.233.17:80
TCP TTL:128 TOS:0x0 ID:53823 IpLen:20 DgmLen:48 DF
******S* Seq: 0x7FE52BC5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/30-04:28:32.641493 MY_HONEYPOT_IP:2145 -> 58.65.233.17:80
TCP TTL:128 TOS:0x0 ID:53824 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x7FE52BC6 Ack: 0xE409E046 Win: 0xFFFF TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/30-04:28:32.641559 MY_HONEYPOT_IP:2145 -> 58.65.233.17:80
TCP TTL:128 TOS:0x0 ID:53825 IpLen:20 DgmLen:352 DF
***AP*** Seq: 0x7FE52BC6 Ack: 0xE409E046 Win: 0xFFFF TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
_______________________________________________
Honeywall mailing list
[email protected]
https://public.honeynet.org/mailman/listinfo/honeywall
