SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004455: iptables rules for snort queue are incomplete - MantisBT
MantisBT - Endian Firewall
View Issue Details
0004455Endian FirewallIntrusion Preventionpublic2012-10-02 09:392012-10-02 09:39
luke-endian 
 
normalminoralways
newopen 
2.5 
 
0004455: iptables rules for snort queue are incomplete
Hi guys

we have some problem with iptables rules if snort and http proxy are active.
I mean that traffic that pass trough http proxy is not analysed by snort.
We can create a system access rule with target "allow with ips" with http proxy port as destination,so traffic that starts from client to http proxy are queued,but there are other problems:

- only "ESTABLISHED/RELATED" INPUT packets from proxy users to squid go through snort
- traffic from the proxy users to squid has undergone DNAT when it reaches snort leading to:
* the new destination address is in snort's $HOME_NET as set by default by efw, so not in $EXTERNAL_NET which will bypass many snort rules
* the snort rules that match based on destination address won't match
* the snort alerts that will match will not reveal the original destination address
- for one connection from a user to squid, there will or will not be (depending if the response is cached or not) a corresponding query from squid to the original destination. Only the incoming traffic will go through snort, but the destination address will be efw's RED interface IP address which is *not* in the default HOME_NET as set be efw by default so will bypass many snort rules as well. Alerts for the snort rules that do match will not have the IP address of the internal machine which the traffic was meant for.
- OUPUT traffic does not pass trough snort so many snort rules that match on "flow:established" will fail because of that.
-$HOME_NET doesn't include subnets that are routed beyond the subnets directly connected to the efw.
purple
Issue History
2012-10-02 09:39luke-endianNew Issue
2012-10-02 09:40luke-endianTag Attached: purple

There are no notes attached to this issue.