Snort mailing list archives
Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop
From: Robert Greenhouse <rgreenhouse413 () gmail com>
Date: Fri, 16 Aug 2013 17:20:03 -0400
YM, YM>If you run snort in inline mode with the same setup you have, do you see packets passing through and alerts are being generated for your rule? RG> Yes YM>Have you changed rules processing order? RG>Yes YM>Please post the command you are using to run Snort and the rule you are using for testing drops. RG>/snort/bin/ssnort -Q -c /snort/etc/ssnort.conf -d --daq afpacket --daq-mode inline --daq-dir /snort/daq/lib64/daq -l /snort/logs -i eth0:eth1 --daq-var buffer_size_mb=512 --daq-var debug & Test rule: drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Request undefined code"; icode:>0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:389; rev:10;) Thanks for all your help, hopefully you can guide us to the bottom of this critical problem. Thanks, Richard From: Y M Sent: Friday, August 16, 2013 3:21 PM To: Robert Greenhouse ; snort-users () lists sourceforge net Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Sorry for the noise, I meant if you run Snort in passive mode with the same setup you have. -------------------------------------------------------------------------------- From: Y M Sent: 8/16/2013 9:53 PM To: Robert Greenhouse; snort-users () lists sourceforge net Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop If I recall, --enable-inline is deprecated since a while now, not sure which Snort version; A warning should have been shown during compilation. But I do not think that this would affect operating in inline mode now. If you run snort in inline mode with the same setup you have, do you see packets passing through and alerts are being generated for your rule? Have you changed rules processing order? Please post the command you are using to run Snort and the rule you are using for testing drops. -------------------------------------------------------------------------------- From: rgreenhouse413 () gmail com To: snort () outlook com; rgreenhouse413 () gmail com; snort-users () lists sourceforge net Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Date: Fri, 16 Aug 2013 14:08:01 -0400 YM, Available DAQ modules: pcap(v3): readback live multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv We also changed the commandline to –Q –c we removed the frowad rules from the iptables and used icmp sid:389 in a Drop mode. Snort is still not blocking? Can you please help us solve this critical issue. BTW Snort was compiled with --enable-inline Thanks, Richard From: Y M Sent: Friday, August 16, 2013 12:05 PM To: Robert Greenhouse ; snort-users () lists sourceforge net Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop If you run /snort/bin/snort --daq-list what is the output of the command? What does your command look like after the changes? I would also separate the "-Qc" such as "-Q -c". -Q forces Snort into inline mode. What rules are using to see that you are actually dropping? I would start with one and simple rule such as sid:389 converting it to drop and test if you drop icmp. afpacket does not rely on iptables to drop packets. If you remove the forward rules from your iptables and test, what happens? We use afpacket and did not configure the iptables the way you did. A helpful post on the VRT blog: http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html p.s.: please post to the list as it is of everyones interest :) Thanks. YM -------------------------------------------------------------------------------- From: rgreenhouse413 () gmail com To: snort () outlook com; rgreenhouse413 () gmail com Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Date: Fri, 16 Aug 2013 10:25:30 -0400 Thank you for your response. I removed "--treat-drop-as-alert”, but we are still not blocking? Can you suggest any other action I can take? Thanks, Richard From: Y M Sent: Thursday, August 15, 2013 6:36 PM To: Robert Greenhouse Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop I see from the command that you are using "--treat-drop-as-alert", is there a reason for that? Have a look at the last table on http://manual.snort.org/node11.html from Snort's online documentation: Adapter Mode | Snort args | config policy_mode | Drop Rule Handling Inline -Q -treat-drop-as-alert inline Alert -------------------------------------------------------------------------------- From: rgreenhouse413 () gmail com To: snort () outlook com Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Date: Thu, 15 Aug 2013 18:28:12 -0400 Thanks, Much appreciated. I have done what you suggested, but I am still not blocking. Here is the command line: /snort/bin/snort -Qc /snort/etc/snort.conf –d --treat-drop-as-alert --daq afpacket --daq-mode inline --daq-dir /snort/daq/lib64/daq –l /snort/logs -i eth0:eth1 --daq-var buffer_size_mb=512 --daq-var debug & Here is our iptables: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT And I have modified snort.conf to include: config policy_mode:inline Your help is much appreciated.. Thanks, Richard From: Y M Sent: Thursday, August 15, 2013 5:16 PM To: Robert Greenhouse ; snort-users () lists sourceforge net Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Sorry I missed that --> you also need to add the -Q to your command. -------------------------------------------------------------------------------- To: rgreenhouse413 () gmail com; snort-users () lists sourceforge net From: snort () outlook com Date: Fri, 16 Aug 2013 00:08:55 +0300 Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Does adding --daq-mode inline to your command and config policy_mode:inline to your snort configuration file change the behavior? -------------------------------------------------------------------------------- From: Robert Greenhouse Sent: 8/15/2013 11:45 PM To: snort-users () lists sourceforge net Subject: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Hi, snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop? We have our system setup to inline mode using afpacket (./snort --daq afpacket -i eth0:eth1). Also have iptables configured to: iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward Why doesn’t snort drop the packet when the rule fires? This is a major problem Thanks, Richard ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Y M (Aug 16)
- Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop Robert Greenhouse (Aug 16)