# Snort-inline configuration

## briansrapier

Good afternoon. I am in the process of building a transparent (bridging) firewall using iptables and snort-inline. Thanks in part to this thread:

https://forums.gentoo.org/viewtopic-t-169553-highlight-snort.html

I built the bridge without any issues using the following configuration:

CONF.D/NET:

---------------

config_eth0=( "null" )

config_tap0=( "null" )

bridge_br0="eth0 tap0"

config_br0=( "10.10.56.200 netmask 255.0.0.0 broadcast 10.255.255.255" )

routes_br0=(

       "default via 10.10.55.1"

)

depend_br0() {

        need net.eth0 net.tap0

}

brctl_br0=( "setfd 0" "sethello 0" "stp off" )

-----------------

Next, I emerged iptables followed by snort using the "inline" USE flag and gave it the follwing configuration:

CONF.D/SNORT:

-------------------

IFACE=br0

PIDFILE=/var/run/snort_$IFACE.pid

LOGDIR="/var/log/snort"

CONF=/etc/snort/snort.conf

SNORT_OPTS="-Q -D -c $CONF -i $IFACE -l $LOGDIR"

-------------------

SNORT.CONF

---------------

var HOME_NET 10.0.0.0/8

var EXTERNAL_NET !$HOME_NET

var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET

var SNMP_SERVERS $HOME_NET

var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var SSH_PORTS 22

var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

var RULE_PATH /etc/snort/rules

config disable_decode_alerts

preprocessor flow: stats_interval 0 hash 2

preprocessor frag3_global: max_frags 65536

preprocessor frag3_engine: policy first detect_anomalies

preprocessor stream4: disable_evasion_alerts

preprocessor stream4_reassemble

preprocessor http_inspect: global \

    iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \

    profile all ports { 80 8080 8180 } oversize_dir_length 500

preprocessor rpc_decode: 111 32771

preprocessor bo

preprocessor telnet_decode

preprocessor sfportscan: proto  { all } \

                         memcap { 10000000 } \

                         sense_level { low }

preprocessor xlink2state: ports { 25 691 }

output alert_syslog: LOG_AUTH LOG_ALERT

include classification.config

include reference.config

include $RULE_PATH/local.rules

include $RULE_PATH/bad-traffic.rules

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/web-cgi.rules

include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

include $RULE_PATH/web-client.rules

include $RULE_PATH/web-php.rules

include $RULE_PATH/sql.rules

include $RULE_PATH/x11.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

include $RULE_PATH/oracle.rules

include $RULE_PATH/mysql.rules

include $RULE_PATH/snmp.rules

include $RULE_PATH/smtp.rules

include $RULE_PATH/imap.rules

include $RULE_PATH/pop2.rules

include $RULE_PATH/pop3.rules

include $RULE_PATH/nntp.rules

include $RULE_PATH/other-ids.rules

include $RULE_PATH/virus.rules

include $RULE_PATH/experimental.rules

include $RULE_PATH/bleeding-attack_response.rules

include $RULE_PATH/bleeding-dos.rules

include $RULE_PATH/bleeding-drop-BLOCK.rules

include $RULE_PATH/bleeding-drop.rules

include $RULE_PATH/bleeding-dshield-BLOCK.rules

include $RULE_PATH/bleeding-dshield.rules

include $RULE_PATH/bleeding-exploit.rules

include $RULE_PATH/bleeding-game.rules

include $RULE_PATH/bleeding-inappropriate.rules

include $RULE_PATH/bleeding-malware.rules

include $RULE_PATH/bleeding-p2p.rules

include $RULE_PATH/bleeding-policy.rules

include $RULE_PATH/bleeding-scan.rules

include $RULE_PATH/bleeding-virus.rules

include $RULE_PATH/bleeding-web.rules

include $RULE_PATH/bleeding.conf

include $RULE_PATH/bleeding.rules

----------------------------------------

I tested the configuration using `/usr/bin/snort -Q -v -c /etc/snort/snort.conf -i br0 -l /var/log/snort`, which produces:

        --== Initialization Complete ==--

And spits out a bit of traffic, most of which seems to be netbios broadcasts:

07/19-12:44:24.035548 10.10.57.164:138 -> 10.255.255.255:138

UDP TTL:128 TOS:0x0 ID:19618 IpLen:20 DgmLen:229

Len: 201

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Next, I altered some of the rules related to scans from 'alert' to 'drop' in order to test what would happen if I nmap'd the box. But, nothing did. I've attempted a few variations with the configuration, mostly HOME_NET and EXTERNAL_NET, but I'm not making any headway.

Ideas?

----------

## outspoken

post the output of this:

```

iptables -L -n

```

exlude any ip's that you don't want known to the public. need to see if you are putting packets in the QUEUE in your FORWARD policy.

EDIT: bleh, i used wiki <pre> instead of [code] ;P

----------

