2

I installed snort-2.9.7 from sources, and launch as IDS:

% snort -devQ -A console -c /etc/snort/snort.conf -i eth0:eth1
Enabling inline operation
Running in IDS mode
...

The config file is very trivial:

#
var RULE_PATH rules
# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any
# Setup the network addresses you are protecting
ipvar HOME_NET [10.10.10.0/24]
config daq: afpacket
config daq_mode: inline
config policy_mode:inline
include $RULE_PATH/icmp.rules

The rule in icmp.rules is simple as well for purpose of testing:

block icmp 10.10.10.2 any <> 10.10.10.1 any (msg:"Blocking ICMP Packet from 10.10.10.2"; sid:1000001; rev:1;)

On the host where Snort is running the interface eth0 has address 10.10.10.1, however when I send ping 10.10.10.1 from another host, icmp packets don't get dropped by Snort and icmp replies generate:

WARNING: No preprocessors configured for policy 0.
02/27-15:04:40.623763  [Drop] [**] [1:1000001:1] Blocking ICMP Packet from 10.10.10.2 [**] [Priority: 0] {ICMP} 10.10.10.2 -> 10.10.10.1

What does warning mean? Am I doing something wrong?

Mark
  • 209
  • 1
  • 4
  • 10

1 Answers1

1

Replace your icmp rule by the following:

reject icmp 10.10.10.2 any <> 10.10.10.1 any (msg:"Blocking ICMP Packet from 10.10.10.2"; sid:1000001; rev:1;)

Note that there is no snort rule action called block. Use either reject or drop. For more information, see this manual page.

UPDATE:

I am not sure you can put more than one interface in your snort command. Try running two instances of snort, one for each network interface, or use the other approach explained here.

Linostar
  • 157
  • 7
  • thanks for reply. Unfortunately neither reject nor drop help achieve what I want, still receive icmp replies. – Mark Feb 27 '15 at 20:57
  • Did you restart snort after changing the rule? – Linostar Feb 27 '15 at 21:05
  • Yes, I did. Can it be that destination IP address of the icmp request is the interface of the host where Snort is running. But I would assume that it is normal setup. – Mark Feb 27 '15 at 21:09
  • That shouldn't be an issue. I updated my answer, so see above. – Linostar Feb 27 '15 at 21:31
  • I was following http://manual.snort.org/node7.html#SECTION00253000000000000000 when constructing snortr command line. But I thought that 'inline' mode of Snort's operation means that Snort sits between interfaces and monitors traffic according to the ruleset. – Mark Feb 27 '15 at 21:38
  • 1
    If that's the case, are you sure that your ping (icmp request) is a traffic between your two interfaces eth0 and eth1 where snort is running? That does not seem the case since your source and destination IPs seem to be on the same network (10.10.10.0/24). – Linostar Feb 28 '15 at 08:26
  • But what if I need to have Snort protect a single host, rather than a router/switch device? Isn't such mode supported by Snort? – Mark Mar 01 '15 at 00:14
  • 1
    In that case, use `-i ALL` instead of `-i eth0:eth1`, or don't put the `-i ...` option at all. – Linostar Mar 01 '15 at 07:12