Inliniac

Note to self: never assume something works, instead, test it.

Yesterday there was some discussion in the #snort channel over whether or not passing multiple interface to snort works or not. As a reminder, some time ago i noted that passing two interfaces to snort like this: ‘snort -i eth0:eth1′ worked just fine. However, common mentioned in irc that he could not imagine it to be working. Determined to proof him wrong, i decided to run a few test. On my gateway, i ran ‘snort -v -i eth0:eth1 ip proto 1′. This should print all ICMP packets to the screen for both interfaces. The first clue that something wasn’t right was this message:

OpenPcap() device eth0:eth1 network lookup:
eth0:eth1: no IPv4 address assigned

Anyhow, i continued a pinged the gateway from the eth0 network. Worked fine. Then from the eth1 network. No dice. Damn. So i switched the interfaces like this ‘snort -v -i eth1:eth0 ip proto 1′. Guess what? Now eth1 worked and eth0 didn’t.

This was about the time i also remembered that in Sguil i had a few cases where i didn’t get any data in a transscript, although it should have been there. Because i am very busy, i had not yet investigated it.

On #snort a few more people said that it didn’t work for them, but for Joel Esler it still does. Weird. Anyhow, i am now back to running sancp and the full content logger on the ‘any’ pseudo interface, both with a BPF filter excluding local loopback from being recorded. So that look like this ‘snort -v -i any not host 127.0.0.1′.

What remains is the nat issue, but i have decided that i also want the full content logging on the wan side, so i think there is no solution for the double recording of natted connections.

A few days ago i wrote about some challenges that my Snort_inline presented. Especially the full content logging wasn’t working quite as i would have liked. Logging on pseudo device ‘any’ didn’t work right because then the traffic that was NAT-ted was both recorded before NAT and after NAT. The solution I (with help of #snort-gui) came up with was using ‘-i any’ anyway, but exclude my public ip using a BPF filter. Later i saw Joel Esler write the solution in a unrelated problem to someone else. Sometimes solutions can be so simple!

Solution: passing -i eth0:eth1 to snort… Duh! Thanks Joel!

Just spend some time trying to get the transcripts part of Sguil working with my Snort_inline sensor. Without an obvious clue it returned no data for every alert that was received. After much trial and error, and especially much help by Bamm Visscher on IRC, i noticed that i recorded the full packet data from my ppp0 device. Then i remembered issues i had before with that, namely that the logging occurs after NAT. Snort_inline however, gets the packets from the system before NAT. That results in a mismatch causing the sensor not to be able to provide the transcript requested. Changing the interface to record the full packets from to eth0 solved the problem!

Partially, that is. Because i have multiple ethernet adapters in the firewall serving multiple network segments, the problem is not entirely solved yet. Eth0 is covered, but what about eth1? Running log_packets.sh twice won’t work, because it can only run once per sensor (not to confuse with once per box), and the snort_inline process is one sensor for all nics. Using -i any will work, but is messy, because all natted connections will be recorded twice, once from before nat and once from after. On #snort-gui it was suggested to checkout adapter bonding. This, it turns out, only works from adapters on the same segment. In some forum i found by google it was suggested to do use -i any, but filter on the mac address of the ethernet adapters. When i brought that up on #snort-gui, Bamm Visscher suggested just filtering on the external ipaddress. That seems to work fine…