Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

How to test / get working Snort NIS (inline mode) ?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
NTU
Apprentice
Apprentice


Joined: 17 Jul 2015
Posts: 187
PostPosted: Wed Oct 12, 2016 5:52 pm    Post subject: How to test / get working Snort NIS (inline mode) ? Reply with quote
Hello! I'm working on fixing up the ebuild for snort and making it a bit more pulledpork friendly (oink codes, fetching of configs, etc) but once I have the packages and all set up, what's a good way to make sure that the new snort rules are actually working properly and inline / intrusion prevention system is in effect? I haven't dabbled much in the more advanced world of network security, just iptables / netfilter, (that means no experience with things like OSSEC and such, Wireshark is as far as I've been) I've heard of nmap, tips/suggestions on pen testing Snort? I want to make sure the rules are working, btw I'm not running any servers (at this time) nor doing anything over SSH so would I comment out the lines such as SSH_SERVERS, SQL_SERVERS etc? Does "portvar" mean "monitor these ports" because this page doesn't exactly say what it DOES and the end result of putting a port in the list, rather just syntax, not behavior:

https://www.snort.org/faq/readme-variables

I've had network trouble in the past using torrents (Linux ISOs) or even just IRC without a cloak, would I put the ports that those clients use in the snort.conf file?

I'm a snort nub and need a little direction, not asking for a mentor, thank you in advance!

Last edited by NTU on Mon Oct 24, 2016 6:10 am; edited 1 time in total
Back to top
View user's profile Send private message
NTU
Apprentice
Apprentice


Joined: 17 Jul 2015
Posts: 187
PostPosted: Mon Oct 24, 2016 6:08 am    Post subject: Reply with quote
Officially changing this thread to, "how do I even get nfq daq inline mode working?"

Code:
sudo /usr/bin/snort -Q -c /etc/snort/snort.conf --daq-var device=eth0 --daq-var queue=1 -v


Code:
Commencing packet processing (pid=3425)
Decoding Raw IP4
Snort processed 0 packets.
   Pkts/sec:            0
Preprocessor Profile Statistics (all)
No Preprocessors were profiled
Rule Profile Statistics (all rules)
No rules were profiled


I followed these instructions here but it didn't help:

https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/023/original/ids2ips.txt

I get a lot of messages like these:

Code:
(29) => Invalid address: 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; sid:5808; rev:9;)'
and also these:

Code:
WARNING: flowbits key 'file.maplet' is set but not ever checked.
WARNING: flowbits key 'file.ani' is set but not ever checked.
WARNING: flowbits key 'zenworks_opcode' is set but not ever checked.
WARNING: flowbits key 'file.udf' is set but not ever checked.
WARNING: flowbits key 'file.wrf' is set but not ever checked.
WARNING: flowbits key 'file.rt' is set but not ever checked.
WARNING: flowbits key 'file.zip.winrar.spoof' is set but not ever checked.
WARNING: flowbits key 'file.xcf' is set but not ever checked.


I have practically every rule enabled, except for the SO_RULES.

Code:
config daq: nfq
config daq_dir: /usr/lib64/daq
config daq_mode: inline
config daq_var: proto=ip4 device=eth0


is also set.
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
PostPosted: Tue Jan 17, 2017 11:39 am    Post subject: Reply with quote
Quote:
Code:
(29) => Invalid address: 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; sid:5808; rev:9;)'


Did you go through the /etc/snort/snort.conf file and configure your HOME_NET, for example:

Code:
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy