iptables DNS resolution

Posted by Favolas on Super User See other posts from Super User or by Favolas
Published on 2013-10-25T09:44:15Z Indexed on 2013/10/25 9:59 UTC
Read the original article Hit count: 546

Filed under:
|

I have a virtual machine with Fedora 19 acting as a router. This machine as an interface (p8p1) with the IP 172.16.1.254 that is connected to another machine (IP 172.16.1.1) that's simulating the external network.

I've installed snort 2.9.2.2, applied the snortsam-2.9.2.2.diff.gz patch and installed snortsam 2.70 on the routermachine

In snort.conf besides altering some RULE_PATH I believe I've only added the following line to the file.

output alert_fwsam: 127.0.0.1:898/password

After doing this two comands:

ifconfig p8p1 promisc
/usr/local/snort/bin/snort -v -i p8p1

If I ping from the external network to the router IP, I can see the info about the pings.

One of the rules that I have is icmp-info.rules that as this single line:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP-INFO Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:6;fwsam: src, 5 minutes;)

snortsam.conf as this data:

defaultkey password
accept localhost
keyinterval 30 minutes
dontblock 192.168.1.1   # rede local
rollbackhosts 50
rollbackthreshold 20 / 30 secs
rollbacksleeptime 1 minute
logfile /var/log/snort/snortsam.log
loglevel 3
daemon
nothreads
# linha importante para gerar os bloqueios via iptables
iptables p8p1 LOG
bindip 127.0.0.1

Now I run this command:

/usr/local/snort/bin/snort -u snort -i p8p1 -c /etc/snort/snort.conf -l /var/log/snort -Dq

Terminal gives this message:

Spawning daemon child...
My daemon child 2080 lives...
Daemon parent exiting (0)

and when I runsnortsam in terminal i got this:

SnortSam, v 2.70. Copyright (c) 2001-2009 Frank Knobbe . All rights reserved.

Plugin 'fwsam': v 2.5, by Frank Knobbe
Plugin 'fwexec': v 2.7, by Frank Knobbe
Plugin 'pix': v 2.9, by Frank Knobbe
Plugin 'ciscoacl': v 2.12, by Ali Basel <[email protected]>
Plugin 'cisconullroute': v 2.5, by Frank Knobbe
Plugin 'cisconullroute2': v 2.2, by Wouter de Jong <[email protected]>
Plugin 'netscreen': v 2.10, by Frank Knobbe
Plugin 'ipchains': v 2.8, by Hector A. Paterno <[email protected]>
Plugin 'iptables': v 2.9, by Fabrizio Tivano <[email protected]>, Luis Marichal <[email protected]>
Plugin 'ebtables': v 2.4, by Bruno Scatolin <[email protected]>
Plugin 'watchguard': v 2.7, by Thomas Maier <[email protected]>
Plugin 'email': v 2.12, by Frank Knobbe
Plugin 'email-blocks-only': v 2.12, by Frank Knobbe
Plugin 'snmpinterfacedown': v 2.3, by Ali BASEL <[email protected]>
Plugin 'forward': v 2.8, by Frank Knobbe

Parsing config file /etc/snortsam.conf...
Linking plugin 'iptables'...
Checking for existing state file "/var/db/snortsam.state".
Found. Reading state file.
Starting to listen for Snort alerts.

and snortsam.log as an entry like this 2013/10/25, 10:15:17, -, 1, snortsam, Starting to listen for Snort alerts.

Now, from the external machine I do ping 172.16.1.254 and it starts showing the info and an alert file is created in /var/log/snort/ that as the info about the PINGS. Something like:

[**] [1:408:6] ICMP-INFO Echo Reply [**]
[Classification: Misc activity] [Priority: 3] 
10/25-10:35:16.061319 172.16.1.254 -> 172.16.1.1
ICMP TTL:64 TOS:0x0 ID:38720 IpLen:20 DgmLen:84
Type:0  Code:0  ID:1389  Seq:1  ECHO REPLY

Also, if I run instead /usr/local/snort/bin/snort snort -v -i p8p1 i got this message:

Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: snort
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic from "p8p1".
ERROR: Can't set DAQ BPF filter to 'snort' (pcap_daq_set_filter: pcap_compile: syntax error)!
Fatal Error, Quitting..

So, this are my questions:

Shouldn't snortsam block the PING?

Is that DAQ error causing the problem? If so, How can I solve it?

© Super User or respective owner

Related posts about linux

Related posts about networking