I have a virtual machine with Fedora 19 acting as a router. This machine as an interface (p8p1) with the IP 172.16.1.254 that is connected to another machine (IP 172.16.1.1) that's simulating the external network.
I've installed snort 2.9.2.2, applied the snortsam-2.9.2.2.diff.gz patch and installed snortsam 2.70 on the routermachine
In snort.conf besides altering some RULE_PATH I believe I've only added the following line to the file.
output alert_fwsam: 127.0.0.1:898/password
After doing this two comands:
ifconfig p8p1 promisc
/usr/local/snort/bin/snort -v -i p8p1
If I ping
from the external network to the router IP, I can see the info about the pings.
One of the rules that I have is icmp-info.rules that as this single line:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP-INFO Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:6;fwsam: src, 5 minutes;)
snortsam.conf as this data:
defaultkey password
accept localhost
keyinterval 30 minutes
dontblock 192.168.1.1 # rede local
rollbackhosts 50
rollbackthreshold 20 / 30 secs
rollbacksleeptime 1 minute
logfile /var/log/snort/snortsam.log
loglevel 3
daemon
nothreads
# linha importante para gerar os bloqueios via iptables
iptables p8p1 LOG
bindip 127.0.0.1
Now I run this command:
/usr/local/snort/bin/snort -u snort -i p8p1 -c /etc/snort/snort.conf -l /var/log/snort -Dq
Terminal gives this message:
Spawning daemon child...
My daemon child 2080 lives...
Daemon parent exiting (0)
and when I runsnortsam in terminal i got this:
SnortSam, v 2.70.
Copyright (c) 2001-2009 Frank Knobbe . All rights reserved.
Plugin 'fwsam': v 2.5, by Frank Knobbe
Plugin 'fwexec': v 2.7, by Frank Knobbe
Plugin 'pix': v 2.9, by Frank Knobbe
Plugin 'ciscoacl': v 2.12, by Ali Basel <
[email protected]>
Plugin 'cisconullroute': v 2.5, by Frank Knobbe
Plugin 'cisconullroute2': v 2.2, by Wouter de Jong <
[email protected]>
Plugin 'netscreen': v 2.10, by Frank Knobbe
Plugin 'ipchains': v 2.8, by Hector A. Paterno <
[email protected]>
Plugin 'iptables': v 2.9, by Fabrizio Tivano <
[email protected]>, Luis Marichal <
[email protected]>
Plugin 'ebtables': v 2.4, by Bruno Scatolin <
[email protected]>
Plugin 'watchguard': v 2.7, by Thomas Maier <
[email protected]>
Plugin 'email': v 2.12, by Frank Knobbe
Plugin 'email-blocks-only': v 2.12, by Frank Knobbe
Plugin 'snmpinterfacedown': v 2.3, by Ali BASEL <
[email protected]>
Plugin 'forward': v 2.8, by Frank Knobbe
Parsing config file /etc/snortsam.conf...
Linking plugin 'iptables'...
Checking for existing state file "/var/db/snortsam.state".
Found. Reading state file.
Starting to listen for Snort alerts.
and snortsam.log as an entry like this 2013/10/25, 10:15:17, -, 1, snortsam, Starting to listen for Snort alerts.
Now,
from the external machine I do ping 172.16.1.254 and it starts showing the info and an alert file is created in /var/log/snort/ that as the info about the PINGS. Something like:
[**] [1:408:6] ICMP-INFO Echo Reply [**]
[Classification: Misc activity] [Priority: 3]
10/25-10:35:16.061319 172.16.1.254 -> 172.16.1.1
ICMP TTL:64 TOS:0x0 ID:38720 IpLen:20 DgmLen:84
Type:0 Code:0 ID:1389 Seq:1 ECHO REPLY
Also, if I run instead /usr/local/snort/bin/snort snort -v -i p8p1 i got this message:
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: snort
pcap DAQ configured to passive.
The DAQ version does not support reload.
Acquiring network traffic
from "p8p1".
ERROR: Can't set DAQ BPF filter to 'snort' (pcap_daq_set_filter: pcap_compile: syntax error)!
Fatal Error, Quitting..
So, this are my questions:
Shouldn't snortsam block the PING?
Is that DAQ error causing the problem? If so, How can I solve it?
