Snort IPS Inline mode not working as expected.
-
I am running 22.01-RELEASE (amd64) with the latest SNORT package.
Few problems that I am having with SNORT and/or the instructions are not clear in the configuration instructions post.
-
Alert Log View Filter doesn't seem to work when you enter the GID or SID and filter.
For example, I filter on 1:2402000. I put that in the GID and nothing is returned. I put that value in the SID field and nothing is returned. I clear the filter and do a ctrl + f and search for 1:2402000 and it's at the top of the most recent entries in the activity log. In fact, it appears numerous times. -
Changing the action.
If I try changing the action from default to block or reject, the SID 1:2500012 is still set to alert. That doesn't work so I instead went to SID Mgmt and created a new configuration list. In the list I called "WanBlocks" I put the SID 1:2500012 in there. Applied the list to the WAN interface and chose to block and Rebuild. This doesn't seem to work. Action is still set to the default action which is alert.
The most consistent thing I found is to go under the category and select the rule action there. Dont want to do that from an Operations perspective.
-
-
@michmoor So I just solved the first issue.
GID and SID are separate fields but I was putting in for example, 1:2403392, all in one field. So putting just 2403392 in the SID field I get the logs. Any reason why there isn't just one field that says GID:SID and search on that? Abit confusing.Item 2 is still an issue. Short of disabling the rule individually there doesn't seem to be a way to apply the action via the Alerts tab.
-
@michmoor said in Snort IPS Inline mode not working as expected.:
@michmoor So I just solved the first issue.
GID and SID are separate fields but I was putting in for example, 1:2403392, all in one field. So putting just 2403392 in the SID field I get the logs. Any reason why there isn't just one field that says GID:SID and search on that? Abit confusing.Item 2 is still an issue. Short of disabling the rule individually there doesn't seem to be a way to apply the action via the Alerts tab.
For item #1:
The logic treats GID and SID as separate fields because they are returned that way in the logging from the Snort binary. Makes searching easier. You can put values in both fields and they will be combined using AND logic. So if you put "1" in the GID field and "2500012" in the SID field, that will return the matches. But in reality, you will never want to put anything in GID field most of the time because ALL general rules use GID "1". Only the Snort preprocessor built-in rules use different GID values.For item #2:
Not sure exactly what is happening, but changing the action from either place works. At least it used to. I would need to fire up a virtual machine and test again to verify. How exactly are you determining what the default action is? Are you looking at the rules on the file system? If so, you are likely not looking in the correct location. The current set of "active" rules for an interface lives in a sub-directory underneath/usr/local/etc/snort/
and then in a/rules/
subdirectory found there -- specifically in a file calledsnort.rules
.