Snort mailing list archives
RE: UDP packet supposedly DROPped, but seen by snort anyway
From: Jan Ploski <jpljpl () gmx de>
Date: Thu, 24 Oct 2002 18:41:34 +0200 (CEST)
On Thu, Oct 24, 2002 at 11:23:35AM -0500, Matt Yackley wrote:
Jan, it sounds like you are running Snort on the iptables box, AFAIK libpcap grabs the packet when it hits the NIC, iptables is rejecting the packet but that happens at a higher level than libpcap & snort work at. Others here will expand more but my guess as to why the TCP is not picked up by snort is due to the way the rules are written and the way TCP connections are handled. Most rules for TCP type connections will require a 3way handshake to be completed before something like a cmd.exe attempt is sent. If this type of connection is blocked at the start it never gets to the point of sending a packet that triggers the rule. This UDP rule will trigger with the first packet sent since it does not need a 3 way handshake to be completed. Anyway, that is my quick stab at this, everyone else please feel free to correct me where I am wrong :)
Matt, you are entirely correct, and I have also received similiar suggestions from other people on this list via private email (thanks again!). The TCP SYN packet used to establish a connection indeed makes it through to snort, much like the UDP packet. Too bad I did not check this before posting... :-( As someone else suggested: "write a pass rule for it or you can use a bpf filter (not udp port 161) to ignore the traffic". This is indeed a good solution, as I know that port 161 is closed on the monitored box. Best regards - Jan Ploski ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UDP packet supposedly DROPped, but seen by snort anyway Jan Ploski (Oct 24)
- <Possible follow-ups>
- RE: UDP packet supposedly DROPped, but seen by snort anyway Jan Ploski (Oct 24)