How to get snort to inspect packets before pf does?

How to get snort to inspect packets before pf does?

Post by <foo> » Fri, 04 Jul 2003 14:13:22



hi all!

Is this possible? I've just installed snort+mysql+acid on my openbsd 3.3
router/firewall/mailserver/webserver/sshserver/ftpserver/fileserver/nameserv
er++ and I would like to actually get som events triggered  in my logs, pf
is simply eating up all the malicious packets before i get to log and view
them in my snort+mysql+acid combo. (I know the whole idea of "one server x
hundred services" aren't in line with the basic philosophy of OpenBSD, but
I'm mainly doing this for educational purposes (and fun).

So my question is basically if it's possible to get snort to inspect packets
before pf, or should I just forget it and shop around for a P90 to use as a
sensor in front/parallel of the firewall?

Thanks!

/foo

 
 
 

How to get snort to inspect packets before pf does?

Post by yoursel » Fri, 04 Jul 2003 22:02:13



> hi all!

> Is this possible? I've just installed snort+mysql+acid on my openbsd 3.3
> router/firewall/mailserver/webserver/sshserver/ftpserver/fileserver/nameserv
> er++ and I would like to actually get som events triggered  in my logs, pf
> is simply eating up all the malicious packets before i get to log and view
> them in my snort+mysql+acid combo. (I know the whole idea of "one server x
> hundred services" aren't in line with the basic philosophy of OpenBSD, but
> I'm mainly doing this for educational purposes (and fun).

> So my question is basically if it's possible to get snort to inspect packets
> before pf, or should I just forget it and shop around for a P90 to use as a
> sensor in front/parallel of the firewall?

> Thanks!

> /foo

That's weird! I also have set up a much smaller server (only web/smtp and
ssh) and pf just drops everything else. BUT snort tracks attepmts on
port 1080 for example, which is filtered by pf.

I believe that they say it on their site too that they catch packets
before they get dropped by the packet filter or whatever.

Maybe you haven't set snort up correctly? (You might want to use
-i <if_name> to tell snort to listen on that interface)...

On the other hand, i run it on 3.2 ...

--
yourself

There are 10 types of people in the world.
Those that understand binary and those that don't.

 
 
 

How to get snort to inspect packets before pf does?

Post by pak.. » Fri, 04 Jul 2003 23:30:15



Quote:> hi all!

> Is this possible? I've just installed snort+mysql+acid on my openbsd 3.3
> router/firewall/mailserver/webserver/sshserver/ftpserver/fileserver/nameserv
> er++ and I would like to actually get som events triggered  in my logs, pf
> is simply eating up all the malicious packets before i get to log and view
> them in my snort+mysql+acid combo. (I know the whole idea of "one server x
> hundred services" aren't in line with the basic philosophy of OpenBSD, but
> I'm mainly doing this for educational purposes (and fun).

Add another NIC to the box.  This NIC will be used for snort.
Have its hostname.$snort_if file just contain 'up'.  
Add a 'pass in quick on $snort_if all' line to /etc/pf.conf (If you're
going with a default deny policy).  
Change the snort startup to listen to the new NIC.
Connect both to a hub attached to the cable/DSL/Avian Transport modem.

If you're using PPPOE, you're probably SOL.

Quote:

> So my question is basically if it's possible to get snort to inspect packets
> before pf, or should I just forget it and shop around for a P90 to use as a
> sensor in front/parallel of the firewall?

Considering that there have been exploits targetted at snort, that isn't
a bad idea.

--
Chris Dukes
"earthly insanity/brings us conformity
the tinkling bells call me/it plays a leading role
I never could foresee/the purity you stole" -- arte.fa(t's 'Purification'

 
 
 

How to get snort to inspect packets before pf does?

Post by Heiko Dudzu » Sat, 05 Jul 2003 02:54:50



> So my question is basically if it's possible to get snort to inspect packets
> before pf, or should I just forget it and shop around for a P90 to use as a
> sensor in front/parallel of the firewall?

I' ve found something about it. Seems like you have to let snort listen
on the external interface (tun0)

http://www.monkey.org/openbsd/archive/ports/0211/msg00296.html

HTH, Heiko

 
 
 

1. Special packet inspecting bridging

                Hi all,

        I'd like to start a project involving a packet inspecting
Ethernet
bridge/firewall/traffic shaper that is protocol independent ( I mean no
ties to high level protocols like TCP/IP or IPX for ex.).
        What I want to do is get raw Ethernet packets from one
interface, pipe
it trough an user level program and then inject it in the other one, and
viceversa, of course ;).
        Please advise me of the means of doing this with minimum
overhead
possible, or if someone started a similar project please let me know.

                        Thank you,

                        Mircea C.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in

More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

2. Problem with 16bpp and colormap cells

3. How to inspect & modify outgoing IP packets

4. Help! Exabyte tape problems under Solaris7

5. How to inspect UDP packets ?

6. 1.3.96 etc and Motherboard trouble!

7. snort - box snort: ERROR: Unable to open rules file: webcgi-lib

8. mknod does not fix my floppy problems

9. Snort is running, i scanned my computer, but nothing appears in the snort logs

10. How to access the queue of incoming packets (Snort and libpcap)...

11. snort logging - snort.conf

12. Snort - DoS

13. Snort config and squid. Home_net getting logged?