Snort mailing list archives
FreeBSD, snort does not block packets in inline mode
From: Dmitry <z1nkum () gmail com>
Date: Mon, 22 Oct 2012 12:22:05 +0400
Hello, FreeBSD 9.0-RELEASE #0 snort-2.9.3.1 daq-1.1.1 Similar to http://seclists.org/snort/2011/q1/237 - Snort in inline mode works "strange": it always log to alert, but packets are not blocked ipfw divert: divert 8100 tcp from any to any dst-port 80 in recv em0 Snort cmd: snort -vQ -d -c /usr/local/etc/snort/snort.conf --daq ipfw --daq-var port=8100 -i em0 port 80 [em0] - interface to home net Test rules: drop tcp any any -> any 80 (msg:"test site req blocked 1"; content:"Host: ya.ru"; resp:rst_all; sid:112227; rev:1;) drop tcp any any -> any 80 (msg:"test site req blocked 2"; content:"Host: ya.ru"; react:msg; sid:112228; rev:1;) Alert logs: [**] [1:112228:1] test site req blocked 2 [**] [Priority: 0] 10/22-00:24:50.662505 x.170.99.178:3764 -> 93.158.134.3:80 TCP TTL:128 TOS:0x0 ID:57352 IpLen:20 DgmLen:396 DF ***AP*** Seq: 0x523F13F1 Ack: 0x69D405E0 Win: 0xFC00 TcpLen: 20 [**] [1:112227:1] test site req blocked 1 [**] [Priority: 0] 10/22-00:24:50.662505 x.170.99.178:3764 -> 93.158.134.3:80 TCP TTL:128 TOS:0x0 ID:57352 IpLen:20 DgmLen:396 DF ***AP*** Seq: 0x523F13F1 Ack: 0x69D405E0 Win: 0xFC00 TcpLen: 20 Verbose log: http://pastebin.com/dAmE4E8K Config: http://pastebin.com/Y2tEZiaJ And on both interfaces I cant see any RST packets: # tcpdump -ln -i em0 port 80 and 'tcp[13] & 4!=0' # tcpdump -ln -i em1 port 80 and 'tcp[13] & 4!=0' And no react page goin back to client (I've tried just react rule, without resp:rst_all) At the same time, if I use not inline mode, I see react page in ~50% of cases ( as I understand, depends on whose package will arrive soon) ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- FreeBSD, snort does not block packets in inline mode Dmitry (Oct 22)