# How to test / get working Snort NIS (inline mode) ?

## NTU

Hello! I'm working on fixing up the ebuild for snort and making it a bit more pulledpork friendly (oink codes, fetching of configs, etc) but once I have the packages and all set up, what's a good way to make sure that the new snort rules are actually working properly and inline / intrusion prevention system is in effect? I haven't dabbled much in the more advanced world of network security, just iptables / netfilter, (that means no experience with things like OSSEC and such, Wireshark is as far as I've been) I've heard of nmap, tips/suggestions on pen testing Snort? I want to make sure the rules are working, btw I'm not running any servers (at this time) nor doing anything over SSH so would I comment out the lines such as SSH_SERVERS, SQL_SERVERS etc? Does "portvar" mean "monitor these ports" because this page doesn't exactly say what it DOES and the end result of putting a port in the list, rather just syntax, not behavior:

https://www.snort.org/faq/readme-variables

I've had network trouble in the past using torrents (Linux ISOs) or even just IRC without a cloak, would I put the ports that those clients use in the snort.conf file?

I'm a snort nub and need a little direction, not asking for a mentor, thank you in advance!Last edited by NTU on Mon Oct 24, 2016 6:10 am; edited 1 time in total

----------

## NTU

Officially changing this thread to, "how do I even get nfq daq inline mode working?"

```
sudo /usr/bin/snort -Q -c /etc/snort/snort.conf --daq-var device=eth0 --daq-var queue=1 -v
```

```
Commencing packet processing (pid=3425)

Decoding Raw IP4

Snort processed 0 packets.

   Pkts/sec:            0

Preprocessor Profile Statistics (all)

No Preprocessors were profiled

Rule Profile Statistics (all rules)

No rules were profiled
```

I followed these instructions here but it didn't help:

https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/023/original/ids2ips.txt

I get a lot of messages like these:

```
(29) => Invalid address: 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; sid:5808; rev:9;)'
```

 and also these:

```
WARNING: flowbits key 'file.maplet' is set but not ever checked.

WARNING: flowbits key 'file.ani' is set but not ever checked.

WARNING: flowbits key 'zenworks_opcode' is set but not ever checked.

WARNING: flowbits key 'file.udf' is set but not ever checked.

WARNING: flowbits key 'file.wrf' is set but not ever checked.

WARNING: flowbits key 'file.rt' is set but not ever checked.

WARNING: flowbits key 'file.zip.winrar.spoof' is set but not ever checked.

WARNING: flowbits key 'file.xcf' is set but not ever checked.
```

I have practically every rule enabled, except for the SO_RULES.

```
config daq: nfq

config daq_dir: /usr/lib64/daq

config daq_mode: inline

config daq_var: proto=ip4 device=eth0
```

is also set.

----------

## chiefbag

 *Quote:*   

> Code:
> 
> (29) => Invalid address: 'alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; sid:5808; rev:9'

 

Did you go through the /etc/snort/snort.conf file and configure your HOME_NET, for example:

```
ipvar HOME_NET 192.168.1.0/24

ipvar EXTERNAL_NET !$HOME_NET
```

----------

