LINUX.ORG.RU
ФорумAdmin

snort: фильтрация ipv6

 , , , ,


0

1

Короче, пробую сделать фильтрацию в ipv6.

root@filter0:/home/user# cat /etc/snort/rules/local.rules
reject tcp any any -> any any (msg:"HTTP test";sid:10000001;react; rev:001;)
root@filter0:/home/user#
При пропуске tcp трафика получаем:
Commencing packet processing (pid=982)
Decoding Raw IP6
11/05-22:17:22.489083  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140 -> 2a02:6b8::2:242:80
11/05-22:17:23.047332  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:80 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140
11/05-22:17:23.047632  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140 -> 2a02:6b8::2:242:80
11/05-22:17:23.048062  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140 -> 2a02:6b8::2:242:80
11/05-22:17:23.602873  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:80 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140
11/05-22:17:23.605475  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:80 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140
11/05-22:17:23.605595  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140 -> 2a02:6b8::2:242:80
11/05-22:17:23.617973  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:24.046448  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:24.046755  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:24.047220  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:24.550999  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:24.551093  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:24.551164  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:24.551225  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:24.551306  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:24.551514  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:24.551573  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:24.566602  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:24.566611  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:24.945299  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:24.947580  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:25.345172  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.481638  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.484309  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.484309  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.486201  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:25.486210  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140 -> 2a02:6b8::2:242:80
11/05-22:17:25.535520  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.537952  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.537952  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.537952  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.538065  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:25.538069  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:25.617089  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.623854  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.623854  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.623940  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:25.956013  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.956707  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.956707  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:25.956730  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:80 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140
11/05-22:17:25.957124  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:25.958759  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:53140 -> 2a02:6b8::2:242:80
11/05-22:17:25.958767  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:26.445400  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:26.445421  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a02:6b8::2:242:443 -> 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833
11/05-22:17:26.450655  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443
11/05-22:17:26.450662  [**] [1:10000001:1] HTTP test [**] [Priority: 0] {TCP} 2a01:d0:c353:7:fd0d:6096:9f6c:e5af:54833 -> 2a02:6b8::2:242:443

Но, фильтрация не работает. Трафик у меня зеркалируется так:
root@router:/home/ad# ip6tables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 5439 packets, 1521K bytes)
 pkts bytes target     prot opt in     out     source               destination 
 2242  285K TEE        all      any    any     2a01:d0:c353:7:fd0d:6096:9f6c:e5af  anywhere             TEE gw:fd00:10:1::254
 2682 1200K TEE        all      any    any     anywhere             2a01:d0:c353:7:fd0d:6096:9f6c:e5af  TEE gw:fd00:10:1::254

Chain INPUT (policy ACCEPT 467 packets, 32072 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 4867 packets, 1481K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 5386 packets, 1517K bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain POSTROUTING (policy ACCEPT 10263 packets, 2999K bytes)
 pkts bytes target     prot opt in     out     source               destination 
root@router:/home/ad#
В чём может быть проблема?
С ipv4 всё работает нормально.
Тоже самое и при маршрутизации.

★★★★★

А как вы его запускаете? Если NFQ и сразу ipv4 + ipv6, так он этого и не умел в ветке 2.х. http://seclists.org/snort/2015/q4/111

Как вариант, можно посмотреть в сторону net-analyzer/suricata. Я в свое время со snort на suricata ушел, правда, по причине поддержки многопоточности и более прогрессивного развития проекта (snort 3 обещают уже лет 5, похоже, cisco просто тормозит развитие проекта, конкурирующего с её собственным программно-аппаратными решениям).

viewizard ★★ ()
Ответ на: комментарий от viewizard

Дело в том, что я запускаю только с ipv6. Когда запускал с ipv4, всё работало нормально.

ne-vlezay ★★★★★ ()
Ответ на: комментарий от ne-vlezay

А покажите, где у вас отправляет на NFQUEUE. В том, что вы кинули с «root@router:/home/ad# ip6tables -t mangle -L -v» в первом посте я что-то не вижу этого. Вы точно заводите на NFQUEUE для ipv6?

* ну да, должны заводить, если у вас есть лог, но все равно, может там какие-то нюансы...

viewizard ★★ ()
Последнее исправление: viewizard (всего исправлений: 1)
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.