Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FreeBSD, snort does not block packets in inline mode

From: Dmitry <z1nkum () gmail com>
Date: Mon, 22 Oct 2012 12:22:05 +0400
Hello,

FreeBSD 9.0-RELEASE #0
snort-2.9.3.1
daq-1.1.1

Similar to http://seclists.org/snort/2011/q1/237 - Snort in inline mode 
works "strange": it always log to alert, but packets are not blocked


ipfw divert:

divert 8100 tcp from any to any dst-port 80 in recv em0

Snort cmd:

snort -vQ -d -c /usr/local/etc/snort/snort.conf --daq ipfw --daq-var 
port=8100  -i em0 port 80

[em0] - interface to home net

Test rules:

drop tcp any any -> any 80 (msg:"test site req blocked 1"; 
content:"Host: ya.ru"; resp:rst_all; sid:112227; rev:1;)
drop tcp any any -> any 80 (msg:"test site req blocked 2"; 
content:"Host: ya.ru"; react:msg; sid:112228; rev:1;)

Alert logs:

[**] [1:112228:1] test site req blocked 2 [**]
[Priority: 0]
10/22-00:24:50.662505 x.170.99.178:3764 -> 93.158.134.3:80
TCP TTL:128 TOS:0x0 ID:57352 IpLen:20 DgmLen:396 DF
***AP*** Seq: 0x523F13F1  Ack: 0x69D405E0  Win: 0xFC00  TcpLen: 20

[**] [1:112227:1] test site req blocked 1 [**]
[Priority: 0]
10/22-00:24:50.662505 x.170.99.178:3764 -> 93.158.134.3:80
TCP TTL:128 TOS:0x0 ID:57352 IpLen:20 DgmLen:396 DF
***AP*** Seq: 0x523F13F1  Ack: 0x69D405E0  Win: 0xFC00  TcpLen: 20


Verbose log:
http://pastebin.com/dAmE4E8K

Config:
http://pastebin.com/Y2tEZiaJ

And on both interfaces I cant see any RST packets:

# tcpdump -ln -i em0 port 80 and 'tcp[13] & 4!=0'
# tcpdump -ln -i em1 port 80 and 'tcp[13] & 4!=0'


And no react page goin back to client (I've tried just react rule, 
without resp:rst_all)

At the same time, if I use not inline mode, I see react page in ~50% of 
cases ( as I understand, depends on whose package will arrive soon)








------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: