1

as we want to protect our network from malicious traffic we think about setting up snort on our routers. For test reasons I built a system to replicate the network architecture consisting of my host machine and two VMs. Host is in network 192.168.57.0/24. VM 1 (with snort) is in network 192.168.57.0/24 on eth1 and 169.254.161.0/24 on eth2 VM 2 is in network 169.254.161.0/24 on eth1.

Routing is set properly on all machines so that pinging works in both directions from host to VM 2.

VM 1 network config:

auto eth1
iface eth1 inet manual
        up ifconfig $IFACE 192.168.57.101 up
        up ip link set $IFACE promisc on
        post-up ethtool -K $IFACE gro off
        post-up ethtool -K $IFACE lro off
        down ip link set $IFACE promisc off
        down ifconfig $IFACE down

auto eth2
iface eth2 inet manual
        up ifconfig $IFACE 169.254.161.237 up
        up ifconfig $IFACE 0.0.0.0 up
        up ip link set $IFACE promisc on
        post-up ethtool -K $IFACE gro off
        post-up ethtool -K $IFACE lro off
        down ip link set $IFACE promisc off
        down ifconfig $IFACE down

/etc/snort/snort.conf:

var RULE_PATH /etc/snort/rules

config daq: afpacket
config daq_mode: inline
config daq_var: buffer_size_mb=1024
config policy_mode: inline

preprocessor normalize_ip4
preprocessor normalize_tcp: ips ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

include $RULE_PATH/local.rules

/etc/snort/rules/local.rules:

drop udp any any -> any any (msg:"UDP Traffic"; rev:1;sid:1;)

/proc/sys/net/ipv4/ip_forward is set to 1.

When I'm running snort with snort -i eth1:eth2 -c /etc/snort/snort.conf -Q -A console and send a UDP packet from my host to VM 2 snort shows the following output:

12/04-10:18:59.694958  [Drop] [**] [1:1:1] UDP Traffic [**] [Priority: 0] {UDP} 192.168.57.1:44625 -> 169.254.161.236:5050
12/04-10:18:59.694910  [Drop] [**] [1:1:1] UDP Traffic [**] [Priority: 0] {UDP} 192.168.57.1:44625 -> 169.254.161.236:5050

Yet the packet arrives on VM 2 and is not dropped.

According to any source I could find the config should be fine and working. Thus I don't know why packets are still being forwarded.

Any suggestions?

Dero
  • 75
  • 1
  • 14

0 Answers0