as we want to protect our network from malicious traffic we think about setting up snort on our routers. For test reasons I built a system to replicate the network architecture consisting of my host machine and two VMs.
Host is in network 192.168.57.0/24
.
VM 1 (with snort) is in network 192.168.57.0/24
on eth1
and 169.254.161.0/24
on eth2
VM 2 is in network 169.254.161.0/24
on eth1
.
Routing is set properly on all machines so that pinging works in both directions from host to VM 2.
VM 1 network config:
auto eth1
iface eth1 inet manual
up ifconfig $IFACE 192.168.57.101 up
up ip link set $IFACE promisc on
post-up ethtool -K $IFACE gro off
post-up ethtool -K $IFACE lro off
down ip link set $IFACE promisc off
down ifconfig $IFACE down
auto eth2
iface eth2 inet manual
up ifconfig $IFACE 169.254.161.237 up
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
post-up ethtool -K $IFACE gro off
post-up ethtool -K $IFACE lro off
down ip link set $IFACE promisc off
down ifconfig $IFACE down
/etc/snort/snort.conf:
var RULE_PATH /etc/snort/rules
config daq: afpacket
config daq_mode: inline
config daq_var: buffer_size_mb=1024
config policy_mode: inline
preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6
include $RULE_PATH/local.rules
/etc/snort/rules/local.rules:
drop udp any any -> any any (msg:"UDP Traffic"; rev:1;sid:1;)
/proc/sys/net/ipv4/ip_forward
is set to 1.
When I'm running snort with snort -i eth1:eth2 -c /etc/snort/snort.conf -Q -A console
and send a UDP packet from my host to VM 2 snort shows the following output:
12/04-10:18:59.694958 [Drop] [**] [1:1:1] UDP Traffic [**] [Priority: 0] {UDP} 192.168.57.1:44625 -> 169.254.161.236:5050
12/04-10:18:59.694910 [Drop] [**] [1:1:1] UDP Traffic [**] [Priority: 0] {UDP} 192.168.57.1:44625 -> 169.254.161.236:5050
Yet the packet arrives on VM 2 and is not dropped.
According to any source I could find the config should be fine and working. Thus I don't know why packets are still being forwarded.
Any suggestions?