Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort does not sent reset in freebsd/ipfw inline mode

From: Rajkumar S <rajkumars () gmail com>
Date: Fri, 4 Feb 2011 12:59:56 +0530
On Sat, Jan 29, 2011 at 3:08 AM, Russ Combs <rcombs () sourcefire com> wrote:


Are you sure the packets are not being blocked?  The first block on a
session is counted as blacklist.


Yes, with snort running as inline and DAQ listening on an IPFW divert
socket, the packets are not being blocked. (I am using an HTTP and
with snort running and rules being matched, browser is showing the
page)


Have you tried using the dump DAQ?  Blocked / blacklisted packets won't
appear in the output pcap.  Resets will appear in the output pcap.


I tested with dump after your email and it works fine using  dump DAQ
with output pcap showing reset packets.

Here is the detailed test results:

I have uploaded my  snort.conf at http://pastebin.com/gg1hx3J4


IPFW:
snort --daq ipfw --daq-var port=8100 -Q -c snort.conf

Packet capture coming in to the server:  http://pastebin.com/fpudZ3iq
Packet capture going out from server:  http://pastebin.com/0FF94G5r

Packet I/O Totals:
   Received:            7
   Analyzed:            7 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           12

Action Stats:
     Alerts:            7 (100.000%)
     Logged:            7 (100.000%)
     Passed:            0 (  0.000%)
Match Limit:            0
Queue Limit:            0
  Log Limit:            0
Event Limit:            0
Verdicts:
      Allow:            0 (  0.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            7 (100.000%)
     Ignore:            0 (  0.000%)


Dump:
snort --daq dump --daq-var load-mode=read-file -r
/root/snort-pcap/replay.pcap -Q -c snort.conf

Packet capture coming in:  http://pastebin.com/Vx90iRFM
Packet capture going out:  http://pastebin.com/0dTNmBpg

Packet I/O Totals:
   Received:           10
   Analyzed:           10 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           10

Action Stats:
     Alerts:            5 ( 50.000%)
     Logged:            5 ( 50.000%)
     Passed:            0 (  0.000%)
Match Limit:            0
Queue Limit:            0
  Log Limit:            0
Event Limit:            0
Verdicts:
      Allow:            0 (  0.000%)
      Block:            5 ( 50.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            5 ( 50.000%)
     Ignore:            0 (  0.000%)

One difference I can see is that there are 5 Blocked packets in dump,
but IPFW does not show any dropped packets, but both commands show
blacklisted packets.

Do let me know if any further details are needed from my side,

with regards,

raj

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: