Snort mailing list archives
Re: packet modifications not working
From: Will Metcalf <william.metcalf () gmail com>
Date: Thu, 2 Jun 2005 10:31:26 -0500
I posted a response to your question on the bleeding-snort forums. Regards, Will On 5/31/05, eboehnlein () aol com <eboehnlein () aol com> wrote:
Problem: snort_inline modified packets are not being forwarded, instead it appears the original unaltered packet is being forwarded. Also, dropped packets rules when triggered make either snort_inline and/or the sending workstation hang. Background: Running Suse linux 9.0 (i586) - Kernel 2.4.30 with patch ebtables-brnf-9_vs_2.4.30.diff iptables-1.2.8 libpcap-0.8.3 pcre-5.0 libnet-1.0.2a snort-2.3.3 --- snort NID with the above configuration works this point: rules are triggered and events are logged --- then include the following --- iptables-1.3.1 bridge-utils-1.0.4 snort_inline-2.3.0-RC1 bridge script to define bridge [eth1+eth2]=br0 ## clear iptables $IPTABLES -F $IPTABLES -A FORWARD -j QUEUE ## turn forwrding off $ECHO 0 > /proc/sys/net/ipv4/ip_forward The ip queue module is loaded by executing: insmod ip_queue Start snort >snort_inline -v -Q -c /etc/snort_inline/snort_inline.conf --- at this point snort inline is active and traffic is passing through bridge both direcitons --alerts are logged -- replace and drop not working but actions are logged ++ ----------------------------------------------------- Snort Rules Are defined to trigger on a HTTP query from a network: + Alert when any HTTP traffic is sent from workstation segment -- successfully alerts and logs. + Alert and replace content when a specific word is being used -- successfully alerts and logs. Symptoms: [Verified using traces and dumps] + all unaltered traffic flows both ways over the bridge + snort_inline alert rules are triggered and logged - (using content rules) + snort_inline alert/replace rules are triggered and logged; however, it appears the it is the original(unaltered) packet that being forwarded. I suspect that snort_inline (via libnet) is not handling the modified packet correctly. I have recompiled and reconfigured the kernel and all the software several times with no apparent errors being generated. Any thoughts how to proceed from here? Ed
------------------------------------------------------- This SF.Net email is sponsored by Yahoo. Introducing Yahoo! Search Developer Network - Create apps using Yahoo! Search APIs Find out how you can build Yahoo! directly into your own Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- packet modifications not working eboehnlein (Jun 02)
- Re: packet modifications not working Joel Esler (Jun 02)
- Re: packet modifications not working Will Metcalf (Jun 02)