Re: Multiple IPS action plugin problem

[Tso-jie Ng <t.ng () uoc cw>]

Sorry to reply to this email but I am searching a way to backup the
configurations of Snort in PFsense to put them on a newly built PFsense
machine...So a replacement ....we dont want to go through a hard time to
suppress etc etc again...

Thnx in advance for any comments.















Tso-jie Ng
ICT Support, University of Curaçao
*E:* t.ng () uoc cw
*P:* (599-9) 744-2245 <(599-9)+744-2245>
*F:* (599-9) 744-2255
*W:* http://www.uoc.cw <http://www.uoc.cw/>
*A**: *Jan Noorduynweg 111, Curaçao Willemstad



*IMPORTANT*: The contents of this email and any attachments are
confidential. They are intended for the named recipient(s) only. If you
have received this email by mistake, please notify the sender immediately
and do not disclose the contents to anyone or make copies thereof.

*Be like me, be Carbon free - don't print this and save a tree*

*Experience is that marvellous thing that enables you recognize a mistake
when you make it again.*


On Tue, Sep 8, 2020 at 12:05 AM Özkan KIRIK via Snort-devel <
snort-devel () lists snort org> wrote:

> Hello Russ,
> Details are below:
>
> Some related lines of snort boot messages that contains module load order :
> --------------------------------------------------
> o")~   Snort++ 3.0.1-5
> --------------------------------------------------
> Loading /usr/local/etc/snort/snort.lua:
> Loading file_magic.lua:
> Finished file_magic.lua:
>         ssh
>         hosts
>         host_cache
>         pop
>         so_proxy
>         stream_tcp
>         gtp_inspect
>         packets
>         dce_http_proxy
>         stream_icmp
>         normalizer
>         ftp_server
>         stream_udp
>         alert_json
>         ips
>         search_engine
>         classifications
>         latency
>         binder
>         wizard
>         ftp_data
>         dce_smb
>         smtp
>         port_scan
>         dce_http_server
>         dce_tcp
>         telnet
>         ssl
>         sip
>         rpc_decode
>         modbus
>         http2_inspect
>         host_tracker
>         http_inspect
>         stream_ip
>         back_orifice
>         rate_filter
>         appid
>         modifypacket_3
>         modifypacket_1
>         modifypacket_2
>         process
>         dnp3
>         active
>         ftp_client
>         daq
>         decode
>         alerts
>         stream
>         references
>         arp_spoof
>         output
>         network
>         trace
>         dns
>         dce_udp
>         imap
> Finished /usr/local/etc/snort/snort.lua:
> Loading ips.rules:
> ...
>
> As you see above, modifypacket_2 is registered at last through .so actions.
> I have added fprintf lines in each function in module for debugging and
> gathering call history.
>
> My ruleset (there only single rule):
> modifypacket_1 icmp any any -> any any (msg:"icmp modify test"; sid;
> 123456;)
>
> All actions are set as Action::ALERT in ActionApi struct in both
> modifypacket_1.so, modifypacket_2.so and modifypacket_3.so
> Matching rules are logged in alert_json file. But action is allow.
> { "seconds" : 1599452359, "proto" : "ICMP", "pkt_gen" : "raw", "dir" :
> "C2S", "src_ap" : "192.168.58.100:0", "dst_ap" : "205.185.216.42:0",
> "rule" : "1:123456:0", "msg" : "icmp modify test", "action" : "allow" }
>
> Debug Log output:
> mod_ctor: modifypacket_1
> mod_ctor: modifypacket_2
> mod_ctor: modifypacket_3
> modifypacket3_act_ctor module_name: modifypacket_3 name: modifypacket_3
> ModifyPacket3_Action::ModifyPacket_Action- act_name: modifypacket_3
> modifypacket1_act_ctor module_name: modifypacket_1 name: modifypacket_1
> ModifyPacket1_Action::ModifyPacket_Action- act_name: modifypacket_1
> modifypacket2_act_ctor module_name: modifypacket_2 name: modifypacket_2
> ModifyPacket2_Action::ModifyPacket_Action- act_name: modifypacket_2
> ModifyPacket2_Action::exec - name: modifypacket_2
> ModifyPacket2_Action::exec - name: modifypacket_2
> ModifyPacket2_Action::exec - name: modifypacket_2
> ModifyPacket2_Action::exec - name: modifypacket_2
> ...
> ...
>
> As you see above, rule-action is modifypacket_1 and there is no rule for
> modifypacket_2. But modifypacket_2's exec is called.
> In brief, last loaded .so module's exec method is called for all
> modifypacket_1, modifypacket_2 and modifypacket_3 rule actions.
>
> I think there is something wrong in ActionManager::instantiate method. But
> I'm not sure.
> My guess is while registering plugin actions, instance pointers are
> overwritten in somewhere.
>
> Thanks
> Özkan
>
>
> On Tue, Sep 8, 2020 at 1:40 AM Russ Combs (rucombs) <rucombs () cisco com>
> wrote:
>
> > Hi,
> >
> > A rule has exactly one action.  Did you configure a rule for each of your
> > action types?  If those rules are set to alert, do they alert?
> >
> > Russ
> >
> > ________________________________________
> > From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of
> > Özkan KIRIK via Snort-devel <snort-devel () lists snort org>
> > Sent: Sunday, September 6, 2020 11:31 PM
> > To: snort-devel () lists snort org
> > Subject: [Snort-devel] Multiple IPS action plugin problem
> >
> > Hello,
> >
> > I developed 3 example ips_action plugin using snort3_extra repository.
> > (ie modifypacket_1, modifypacket_2 , modifypacket_3).
> >
> > In /usr/local/etc/snort/plugins folder;
> > - When single .so file exists, plugin works perfectly.
> > - When all of 3 .so files exists, only last registered one triggered for
> > both modifypacket_1,  modifypacket_2,  modifypacket_3 rules.
> >
> > # snort --plugin-path /usr/local/etc/snort/plugins --list-plugins | grep
> > ips_action
> > ips_action::modifypacket_1 v0
> > /usr/local/etc/snort/plugins/act_modifypacket_1.so
> > ips_action::modifypacket_2 v0
> > /usr/local/etc/snort/plugins/act_modifypacket_2.so
> > ips_action::modifypacket_3 v0
> > /usr/local/etc/snort/plugins/act_modifypacket_3.so
> > ips_action::react v0 static
> > ips_action::reject v0 static
> > ips_action::rewrite v0 static
> >
> > For debugging, I put log messages to mod_ctor and action_ctor functions.
> > In logs, All of 3 mod_ctor and action_ctor functions are called. But only
> > last registered .so file's Action::exec(Packet* p) method is called for all
> > the modifypacket_1,  modifypacket_2,  modifypacket_3 actions.
> > There is no common method and class names (except snort_plugins[]
> > variable) across all .so files.
> >
> > I couldn't find there the bug is and how the other actions related to 1
> > Action::exec method.
> >
> > Can you help to resolve this problem.
> > Regards
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!