SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004455: iptables rules for snort queue are incomplete - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004455Endian FirewallIntrusion Preventionpublic2012-10-02 09:392012-10-02 09:39
Reporterluke-endian 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Product Version2.5 
Target VersionFixed in Version 
Summary0004455: iptables rules for snort queue are incomplete
DescriptionHi guys

we have some problem with iptables rules if snort and http proxy are active.
I mean that traffic that pass trough http proxy is not analysed by snort.
We can create a system access rule with target "allow with ips" with http proxy port as destination,so traffic that starts from client to http proxy are queued,but there are other problems:

- only "ESTABLISHED/RELATED" INPUT packets from proxy users to squid go through snort
- traffic from the proxy users to squid has undergone DNAT when it reaches snort leading to:
* the new destination address is in snort's $HOME_NET as set by default by efw, so not in $EXTERNAL_NET which will bypass many snort rules
* the snort rules that match based on destination address won't match
* the snort alerts that will match will not reveal the original destination address
- for one connection from a user to squid, there will or will not be (depending if the response is cached or not) a corresponding query from squid to the original destination. Only the incoming traffic will go through snort, but the destination address will be efw's RED interface IP address which is *not* in the default HOME_NET as set be efw by default so will bypass many snort rules as well. Alerts for the snort rules that do match will not have the IP address of the internal machine which the traffic was meant for.
- OUPUT traffic does not pass trough snort so many snort rules that match on "flow:established" will fail because of that.
-$HOME_NET doesn't include subnets that are routed beyond the subnets directly connected to the efw.
Tagspurple
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2012-10-02 09:39 luke-endian New Issue
2012-10-02 09:40 luke-endian Tag Attached: purple

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker