Snort++: Bugs?

[Sancho Panza <sancho () posteo de>]

Hello,

I've noticed some strange things which I think are bugs:

1: Running Snort in Inline Mode, I have to specify an interface so as to 
let Snort know I don't just want to perform a test run (which Russ 
already said is a bug). But: The interface name provided is later 
written into DAQ_Config_t cfg.name (see DAQ_New() in packet_io). Alas, 
the daq_nfq.c module won't accept that (nfq_daq_initialize in 
os-daq-modules/daq_nfs.c):

     if(cfg->name && *(cfg->name))
     {
         snprintf(errBuf, errMax, "The nfq DAQ module does not support 
interface or readback mode!");
         return DAQ_ERROR_INVAL;
     }

2) After fixing (1) for myself, I wanted to test the Inline Mode. I 
defined a rule as simple as:

drop ip any any -> any any ( msg:"Drop Test"; classtype:trojan-activity; 
sid:424242; rev:5; )

Then I tried to send ICMP ECHO REQUEST packets from host A to host B. 
The packets were indeed dropped, but I wouldn't see the alert. After 
adding some debug statements, I came across the following piece of code 
in fpLogEvent(...) (file fpdetect.cc):

     if ((p->packet_flags & PKT_STREAM_UNEST_UNI) &&
         ScAssureEstablished() &&
         (!(p->packet_flags & PKT_REBUILT_STREAM)) &&
         (otn->stateless == 0))
     {
         // We still want to drop packets that are drop rules.
         // We just don't want to see the alert.
         if ( block_action(rtn->type) )
             Active_DropSession(p);

         fpLogOther(p, rtn, otn, rtn->type);
         return 1;
     }

It turns out my ICMP echo request packets weren't considered 
"established". So after some more searching in the code, I came across 
the two possibilities I had to avoid this code path.
The first consists of adding "flow: stateless" to the rule definition - 
that works fine.
The second consists of setting the "stateful" parameter of the "alerts" 
module to "false". Just looking at the definition of alerts_params in 
main/modules.cc, you would think the "stateful" option is disabled by 
default:

     { "stateful", Parameter::PT_BOOL, nullptr, "false",
       "don't alert w/o established session (note: rule action still 
taken)" },

Alas, the default "false" definition seems to have no effect at all!
What's worse, in your snort.lua, you can't even say:

alerts = { stateful: false }

Well, you CAN say it, but a quick look at AlertsModule::set (file 
main/modules.cc) reveals that no matter what actual *value* you specify, 
the option will always be enabled:

     else if ( v.is("stateful") ) {
        //NOTE: no check for true or false!!!
         sc->run_flags |= RUN_FLAG__ASSURE_EST;
}

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!