Snort mailing list archives
Re: Multiple IPS action plugin problem
From: Tso-jie Ng <t.ng () uoc cw>
Date: Thu, 10 Sep 2020 11:32:54 -0400
Sorry to reply to this email but I am searching a way to backup the configurations of Snort in PFsense to put them on a newly built PFsense machine...So a replacement ....we dont want to go through a hard time to suppress etc etc again... Thnx in advance for any comments. Tso-jie Ng ICT Support, University of Curaçao *E:* t.ng () uoc cw *P:* (599-9) 744-2245 <(599-9)+744-2245> *F:* (599-9) 744-2255 *W:* http://www.uoc.cw <http://www.uoc.cw/> *A**: *Jan Noorduynweg 111, Curaçao Willemstad *IMPORTANT*: The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email by mistake, please notify the sender immediately and do not disclose the contents to anyone or make copies thereof. *Be like me, be Carbon free - don't print this and save a tree* *Experience is that marvellous thing that enables you recognize a mistake when you make it again.* On Tue, Sep 8, 2020 at 12:05 AM Özkan KIRIK via Snort-devel < snort-devel () lists snort org> wrote:
Hello Russ, Details are below: Some related lines of snort boot messages that contains module load order : -------------------------------------------------- o")~ Snort++ 3.0.1-5 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading file_magic.lua: Finished file_magic.lua: ssh hosts host_cache pop so_proxy stream_tcp gtp_inspect packets dce_http_proxy stream_icmp normalizer ftp_server stream_udp alert_json ips search_engine classifications latency binder wizard ftp_data dce_smb smtp port_scan dce_http_server dce_tcp telnet ssl sip rpc_decode modbus http2_inspect host_tracker http_inspect stream_ip back_orifice rate_filter appid modifypacket_3 modifypacket_1 modifypacket_2 process dnp3 active ftp_client daq decode alerts stream references arp_spoof output network trace dns dce_udp imap Finished /usr/local/etc/snort/snort.lua: Loading ips.rules: ... As you see above, modifypacket_2 is registered at last through .so actions. I have added fprintf lines in each function in module for debugging and gathering call history. My ruleset (there only single rule): modifypacket_1 icmp any any -> any any (msg:"icmp modify test"; sid; 123456;) All actions are set as Action::ALERT in ActionApi struct in both modifypacket_1.so, modifypacket_2.so and modifypacket_3.so Matching rules are logged in alert_json file. But action is allow. { "seconds" : 1599452359, "proto" : "ICMP", "pkt_gen" : "raw", "dir" : "C2S", "src_ap" : "192.168.58.100:0", "dst_ap" : "205.185.216.42:0", "rule" : "1:123456:0", "msg" : "icmp modify test", "action" : "allow" } Debug Log output: mod_ctor: modifypacket_1 mod_ctor: modifypacket_2 mod_ctor: modifypacket_3 modifypacket3_act_ctor module_name: modifypacket_3 name: modifypacket_3 ModifyPacket3_Action::ModifyPacket_Action- act_name: modifypacket_3 modifypacket1_act_ctor module_name: modifypacket_1 name: modifypacket_1 ModifyPacket1_Action::ModifyPacket_Action- act_name: modifypacket_1 modifypacket2_act_ctor module_name: modifypacket_2 name: modifypacket_2 ModifyPacket2_Action::ModifyPacket_Action- act_name: modifypacket_2 ModifyPacket2_Action::exec - name: modifypacket_2 ModifyPacket2_Action::exec - name: modifypacket_2 ModifyPacket2_Action::exec - name: modifypacket_2 ModifyPacket2_Action::exec - name: modifypacket_2 ... ... As you see above, rule-action is modifypacket_1 and there is no rule for modifypacket_2. But modifypacket_2's exec is called. In brief, last loaded .so module's exec method is called for all modifypacket_1, modifypacket_2 and modifypacket_3 rule actions. I think there is something wrong in ActionManager::instantiate method. But I'm not sure. My guess is while registering plugin actions, instance pointers are overwritten in somewhere. Thanks Özkan On Tue, Sep 8, 2020 at 1:40 AM Russ Combs (rucombs) <rucombs () cisco com> wrote:Hi, A rule has exactly one action. Did you configure a rule for each of your action types? If those rules are set to alert, do they alert? Russ ________________________________________ From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Özkan KIRIK via Snort-devel <snort-devel () lists snort org> Sent: Sunday, September 6, 2020 11:31 PM To: snort-devel () lists snort org Subject: [Snort-devel] Multiple IPS action plugin problem Hello, I developed 3 example ips_action plugin using snort3_extra repository. (ie modifypacket_1, modifypacket_2 , modifypacket_3). In /usr/local/etc/snort/plugins folder; - When single .so file exists, plugin works perfectly. - When all of 3 .so files exists, only last registered one triggered for both modifypacket_1, modifypacket_2, modifypacket_3 rules. # snort --plugin-path /usr/local/etc/snort/plugins --list-plugins | grep ips_action ips_action::modifypacket_1 v0 /usr/local/etc/snort/plugins/act_modifypacket_1.so ips_action::modifypacket_2 v0 /usr/local/etc/snort/plugins/act_modifypacket_2.so ips_action::modifypacket_3 v0 /usr/local/etc/snort/plugins/act_modifypacket_3.so ips_action::react v0 static ips_action::reject v0 static ips_action::rewrite v0 static For debugging, I put log messages to mod_ctor and action_ctor functions. In logs, All of 3 mod_ctor and action_ctor functions are called. But only last registered .so file's Action::exec(Packet* p) method is called for all the modifypacket_1, modifypacket_2, modifypacket_3 actions. There is no common method and class names (except snort_plugins[] variable) across all .so files. I couldn't find there the bug is and how the other actions related to 1 Action::exec method. Can you help to resolve this problem. Regards_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 06)
- Re: Multiple IPS action plugin problem Russ Combs (rucombs) via Snort-devel (Sep 07)
- Re: Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 07)
- Re: Multiple IPS action plugin problem Tso-jie Ng (Sep 10)
- Re: Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 07)
- Re: Multiple IPS action plugin problem Russ Combs (rucombs) via Snort-devel (Sep 07)