efahl
May 28, 2023, 3:02pm
21
Yes, we're running both through our queues. The nftables inet table type is the way they merged both v4 and v6 into the same rule tables. This was one of the big improvements over iptables, you only had to write a rule once if it was not IP family-specific.
table inet snort -> dual stack IPv4/IPv6 tabletable ip snort -> IPv4-only tabletable ip6 snort -> IPv6-only table
So, we use inet and any generic rules will pass both.
You have to be careful when writing specific rules, though, as some match clauses are v4 or v6 specific. Sometimes it's obvious:ip saddr 202.3.4.5/32 udp port 22 ...
Now I'm wondering if Snort cares about the distinction? It must, since it uses header information in some of the pattern matching. How up-to-date is it with respect to IPv6?
xxxx
May 28, 2023, 3:44pm
22
Actually Snort should have no problem with ipv6 because it could already Snort 2 but it may be that it needs adjustments in the snort.lua. The problem is the documentation is a disaster and is also partially no longer correct alone between the version used in the stable branch and the version used in the development branch of openwrt, there have been significant changes. In general I would try to pass the most important options in the command line because they override the options defined in the snort.lua here is my current start line I use: snort -q -c "/etc/snort/snort.lua" -i "4" -i "5" -i "6" --daq-dir /usr/lib/daq --daq nfq -Q -z 3 -s 64000 --daq-var queue_maxlen=8192
EDIT: I believe I have it running but snort isn't doing anything as far as I can tell
I see very tiny CPU usage with show kernel threads.
My rule to match ICMP ping isn't even getting tripped.
# cat /etc/snort/rules/test.rules
alert icmp any any <> any any (msg:"TEST ALERT"; icode:0; itype:8; sid:10000010; rev:001;)
System is RPi4. Internal NIC eth0 is LAN facing and USB NIC eth1 is WAN facing.
Running snort like this:
# snort -c /etc/snort/snort.lua --tweaks local
--------------------------------------------------
o")~ Snort++ 3.1.62.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading homenet.lua:
Finished homenet.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading local.lua:
Finished local.lua:
snort
ssh
host_cache
pop
so_proxy
stream_tcp
mms
smtp
gtp_inspect
packets
dce_http_proxy
alert_fast
cip
ips
stream_icmp
hosts
normalizer
binder
wizard
appid
js_norm
file_id
http2_inspect
http_inspect
stream_udp
ftp_data
ftp_server
search_engine
port_scan
dce_http_server
dce_tcp
dce_smb
iec104
telnet
ssl
sip
rpc_decode
netflow
modbus
host_tracker
stream_user
stream_ip
process
back_orifice
classifications
dnp3
active
trace
ftp_client
decode
alerts
stream
references
daq
arp_spoof
output
network
dns
dce_udp
imap
file_policy
s7commplus
stream_file
Finished /etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading rules/snort.rules:
Finished rules/snort.rules:
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 40127 0 40127 /etc/snort/snort.lua
--------------------------------------------------
rule counts
total rules loaded: 40127
text rules: 40127
option chains: 40127
chain headers: 1694
flowbits: 694
flowbits not checked: 83
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 1786 380 457 288
src 1208 156 0 0
dst 5060 920 0 0
both 109 48 0 0
total 8163 1504 457 288
--------------------------------------------------
service rule counts to-srv to-cli
bgp: 5 1
dcerpc: 573 496
dhcp: 19 5
dnp3: 0 6
dns: 268 104
drda: 5 0
file: 275 284
ftp: 193 21
ftp-data: 561 8639
gopher: 0 1
http: 14058 11590
http2: 14058 11590
http3: 14058 11590
ident: 1 0
imap: 612 8889
irc: 40 14
ircd: 9 3
java_rmi: 51 3
kerberos: 34 6
ldap: 42 6
ldp: 1 0
modbus: 34 10
mysql: 67 7
netbios-dgm: 2 2
netbios-ns: 8 4
netbios-ssn: 809 541
netware: 2 0
nntp: 2 2
ntp: 36 7
openvpn: 16 16
pop3: 571 8893
postgresql: 8 0
printer: 3 0
radius: 3 2
rdp: 3 8
rtmp: 1 4
rtp: 1 1
rtsp: 17 2
sip: 338 44
smtp: 7875 513
snmp: 46 9
ssdp: 13 0
ssh: 10 4
ssl: 173 202
sunrpc: 118 9
syslog: 4 0
teamview: 1 2
telnet: 55 15
tftp: 11 6
vnc: 1 1
vnc-server: 12 10
total: 55103 63562
--------------------------------------------------
fast pattern groups
src: 486
dst: 1590
any: 8
to_server: 127
to_client: 92
--------------------------------------------------
search engine (ac_bnfa)
instances: 1261
patterns: 133885
pattern chars: 3092111
num states: 2337128
num match states: 346503
memory scale: MB
total memory: 76.6849
pattern memory: 8.05497
match list memory: 40.5348
transition memory: 27.9412
fast pattern only: 89388
appid: MaxRss diff: 0
appid: patterns loaded: 300
--------------------------------------------------
nfq DAQ configured to inline.
Commencing packet processing
++ [0] 4
/etc/snort/homenet.lua
HOME_NET = [[ 10.9.1.0/24 10.9.2.0/24 10.9.3.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"
/etc/snort/local.lua
snort = {}
snort["-Q"] = true
ips = {
mode = inline,
variables = default_variables,
action_override = 'reject',
--action_override = 'drop',
include = RULE_PATH .. '/snort.rules',
}
daq = {
module_dirs = {
'/usr/lib/daq',
},
inputs = { '4' },
modules = {
{
name = 'nfq',
mode = 'inline',
variables = { 'device=eth1' } -- eth1 is wan interface
}
}
}
-- To log to a file, uncomment the below and manually create the dir defined in output.logdir
output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
file = true,
packet = false,
}
--search_engine = { search_method = "hyperscan" }
--detection = { hyperscan_literals = true, pcre_to_regex = true }
normalizer = {
tcp = {
ips = true,
}
}
file_policy = {
enable_type = true,
enable_signature = true,
rules = {
use = {
verdict = 'log', enable_file_type = true, enable_file_signature = true
}
}
}
xxxx
May 28, 2023, 8:42pm
24
For me the rule works but I also use the Snort version from the stable branch was there perhaps any changes to Snort that were not taken into account?
Oh I see a problem you have not configured snaplen the packages come defragmented from the kernel there is a snaplen of ~64000 recommended. Add -s 64000 as parmeter to the snort executable.
1 Like
Thanks, I replied in the other thread... let's keep our conversation there to simplicity's sake.
I added -s 64000 to the snort start line. I am confused though... for IPS mode, shouldn't I be using pipeline = 'nfq' not pipeline = 'afpacket'?
I have modified my local.lua based on @efahl suggestion:
`/etc/snort/local.lua` config = 'IPS' -- 'IDS' or 'IPS'
pipeline = 'afpacket' -- 'afpacket' or 'nfq'
if config == 'IDS' then
mode = tap
action = 'alert'
else
mode = inline
snort = { ['-Q'] = true }
act…
