?
Solved

Snort logging all lan access to squid port.

Posted on 2003-02-24
10
Medium Priority
?
681 Views
Last Modified: 2008-01-16
...even though the internal lan ip range is specified and the snort rule is to only log external_net accesses to that port.  

any ideas as to why this is happening?  it's generating 50-100M of logs/week because of this and i have no way of stopping it short of reconfiguring snort to stop watching that port
0
Comment
Question by:gord11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8014674
first:

go to your squid.conf and instead make it listening to 3128, make it listen to
localhost:3128
internalip:3128

and then restart squid.
then squid will not be longer listening in the external ip, and your will have avoided the root cause of your problem.

also: it's a good practice block access to squid and other hosts from outside.
0
 

Author Comment

by:gord11
ID: 8020243
Thanks for the tip.   I'll do that, but I don't think it'll solve my snort problem because the internalip:3128's well be the same ones being logged as alerts by snort.

Maybe I wasn't very clear, this is not a multihomed box.  It is a system that sits in the behind my diskless router/firewall in the LAN with the rest of the internal systems.   I set up squid only because my dsl ISP started putting bandwidth caps on users.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8020533
again I am not understanding well... maybe.

if you have a linux box siting in the middle of two connections. one internal and the other being to the firewall, then HOW you have lot's of connections from the firewall? you should not be receiving any request from that side.

this is what I see:

 internet -- firewall --(1)squidbox(2) -- LAN

your squid should be only listening in (2), but you want to make snort stop logging requests in (1) which should never happen. if such is happening, then check your firewall rules: you should not accept any traffic to port 3128.

Regards
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 

Author Comment

by:gord11
ID: 8023263
I see why you suggested the squid reconfigure now.  It makes sense if that's how my lan was layed out.

Here's how it is.

internet--firewall(& masquerading)--2 cascaded SMC switches--ALL boxes come from these 2 switches.
 
"All boxes" is every computer in the lan, no DMZ.  http and ftp traffic from all PC's get routed to the squid box via proxy settings.  The reason I put snort on the squid box is because it is also the only accessible box (by ssh) from the internet (port forwarding at the firewall)

I tried to optimize traffic by isolating the PC's that share most data to the same switch and everything else is on the other switch.

s|----->pc1
w|----->pc2
i|----->pc3
t|----->squid, ssh, snort
c|-----pc4
h|-----pc5
e|--etc
s|

Does it make sense?

Now, in snort, I've specified the internalIP range, and the snort rule for 3128 is to log externalIP to port 3128.   Instead, what I'm getting is logs of everything from teh internalIP range too.  
0
 
LVL 2

Expert Comment

by:jimbb
ID: 8023752
OK.  Well in your situation I would certainly also recommend binding Squid to only your internal interface as Redimido suggested.

As for your problem with Snort, the rulesets can be so complex that it would be difficult to just instantly say what the problem is; however it sounds like either there is a problem with your external_net definition, or, there are some other rules being loaded that match the same packets.  Are you using the "standard" Snort ruleset (rules.tar.gz)?

Also have you bound Snort to the proper interface?

Personally, I would prefer binding Snort and Squid to the internal interface only (since you are really concerned with compromised _internal_ machines), and ignoring traffic that only passes over the external interface.

(Or you could run another copy of Snort on the external interface with a greatly reduced ruleset.  Anything more than this is going to generate more crap than you might be willing to read.)
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 200 total points
ID: 8028025
Create a form with a button on it.  Do not name anything and copy this code into your Unit file.  The single button will inherit the default property when you click the enter key.  Cheers mate.

// Begin code..
unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
  StdCtrls;

type
  TForm1 = class(TForm)
    Button1: TButton;
    procedure FormShow(Sender: TObject);
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
    Mouse: TCursor;
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8028026
As I understand you now, your squid box is some internal box, very appart from your firewall.

but something suggests me it's better to move your squid and also your snort to the firewall box itself (if it is linux also) because your squid box likely will have only one interfase, and rules from 0.0.0.0 will also include your internal LAN ranges :-)

I'm not so seasoned in Snort that I can tell it to sniff in 0.0.0.0 but make an excepcion in the 192.168.0.0/24 range, for example. I also think it's kind of difficult and not the best layout what you have right now, you know?

Regards
0
 
LVL 2

Expert Comment

by:festive
ID: 8110384
just a few options:
1) You could configure snort to use a pass rule for local proxy traffic.
2) You could change the port numbers that squid is using (ie from 3128 to 3666) (snort will then ignore it)
(this can be made transparent to users via a port NAT)
3) You could disable or alter the snort rule that is firing.

In my experience with snort, this usually happens because of an error in the config file or there is a variable name difference in the specific rule file.

If you try option 1 - keep in mind that you need to change the trigger order to pass,alert (this is a very common trap - and your pass rule will appear to be ignored)

remember if you are altering files to use a SID above 1000000 and to put this into a local.rules file (and to include this in the snort.conf file)

Hope this helps
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question