Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Snort logging all lan access to squid port.

Posted on 2003-02-24
10
Medium Priority
?
682 Views
Last Modified: 2008-01-16
...even though the internal lan ip range is specified and the snort rule is to only log external_net accesses to that port.  

any ideas as to why this is happening?  it's generating 50-100M of logs/week because of this and i have no way of stopping it short of reconfiguring snort to stop watching that port
0
Comment
Question by:gord11
8 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8014674
first:

go to your squid.conf and instead make it listening to 3128, make it listen to
localhost:3128
internalip:3128

and then restart squid.
then squid will not be longer listening in the external ip, and your will have avoided the root cause of your problem.

also: it's a good practice block access to squid and other hosts from outside.
0
 

Author Comment

by:gord11
ID: 8020243
Thanks for the tip.   I'll do that, but I don't think it'll solve my snort problem because the internalip:3128's well be the same ones being logged as alerts by snort.

Maybe I wasn't very clear, this is not a multihomed box.  It is a system that sits in the behind my diskless router/firewall in the LAN with the rest of the internal systems.   I set up squid only because my dsl ISP started putting bandwidth caps on users.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8020533
again I am not understanding well... maybe.

if you have a linux box siting in the middle of two connections. one internal and the other being to the firewall, then HOW you have lot's of connections from the firewall? you should not be receiving any request from that side.

this is what I see:

 internet -- firewall --(1)squidbox(2) -- LAN

your squid should be only listening in (2), but you want to make snort stop logging requests in (1) which should never happen. if such is happening, then check your firewall rules: you should not accept any traffic to port 3128.

Regards
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:gord11
ID: 8023263
I see why you suggested the squid reconfigure now.  It makes sense if that's how my lan was layed out.

Here's how it is.

internet--firewall(& masquerading)--2 cascaded SMC switches--ALL boxes come from these 2 switches.
 
"All boxes" is every computer in the lan, no DMZ.  http and ftp traffic from all PC's get routed to the squid box via proxy settings.  The reason I put snort on the squid box is because it is also the only accessible box (by ssh) from the internet (port forwarding at the firewall)

I tried to optimize traffic by isolating the PC's that share most data to the same switch and everything else is on the other switch.

s|----->pc1
w|----->pc2
i|----->pc3
t|----->squid, ssh, snort
c|-----pc4
h|-----pc5
e|--etc
s|

Does it make sense?

Now, in snort, I've specified the internalIP range, and the snort rule for 3128 is to log externalIP to port 3128.   Instead, what I'm getting is logs of everything from teh internalIP range too.  
0
 
LVL 2

Expert Comment

by:jimbb
ID: 8023752
OK.  Well in your situation I would certainly also recommend binding Squid to only your internal interface as Redimido suggested.

As for your problem with Snort, the rulesets can be so complex that it would be difficult to just instantly say what the problem is; however it sounds like either there is a problem with your external_net definition, or, there are some other rules being loaded that match the same packets.  Are you using the "standard" Snort ruleset (rules.tar.gz)?

Also have you bound Snort to the proper interface?

Personally, I would prefer binding Snort and Squid to the internal interface only (since you are really concerned with compromised _internal_ machines), and ignoring traffic that only passes over the external interface.

(Or you could run another copy of Snort on the external interface with a greatly reduced ruleset.  Anything more than this is going to generate more crap than you might be willing to read.)
0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 200 total points
ID: 8028025
Create a form with a button on it.  Do not name anything and copy this code into your Unit file.  The single button will inherit the default property when you click the enter key.  Cheers mate.

// Begin code..
unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
  StdCtrls;

type
  TForm1 = class(TForm)
    Button1: TButton;
    procedure FormShow(Sender: TObject);
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
    Mouse: TCursor;
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 8028026
As I understand you now, your squid box is some internal box, very appart from your firewall.

but something suggests me it's better to move your squid and also your snort to the firewall box itself (if it is linux also) because your squid box likely will have only one interfase, and rules from 0.0.0.0 will also include your internal LAN ranges :-)

I'm not so seasoned in Snort that I can tell it to sniff in 0.0.0.0 but make an excepcion in the 192.168.0.0/24 range, for example. I also think it's kind of difficult and not the best layout what you have right now, you know?

Regards
0
 
LVL 2

Expert Comment

by:festive
ID: 8110384
just a few options:
1) You could configure snort to use a pass rule for local proxy traffic.
2) You could change the port numbers that squid is using (ie from 3128 to 3666) (snort will then ignore it)
(this can be made transparent to users via a port NAT)
3) You could disable or alter the snort rule that is firing.

In my experience with snort, this usually happens because of an error in the config file or there is a variable name difference in the specific rule file.

If you try option 1 - keep in mind that you need to change the trigger order to pass,alert (this is a very common trap - and your pass rule will appear to be ignored)

remember if you are altering files to use a SID above 1000000 and to put this into a local.rules file (and to include this in the snort.conf file)

Hope this helps
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month12 days, 3 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question