Snort mailing list archives

Re: Snort/ipfw daq doesn't drop packets under OpenBSD

From: "Driton Belushi" <dritonbelushi () gmx com>
Date: Mon, 22 Apr 2013 09:14:09 +0200

Hello,

Can we say that dropping packets feature of Snort under OpenBSD with inline ipfw daq is unsupported or buggy?
Thanks.

--
Driton Belushi
----- Original Message -----
From: Driton Belushi
Sent: 04/19/13 08:07 PM
To: snort-users () lists sourceforge net
Subject: Snort/ipfw daq doesn't drop packets under OpenBSD

Hi @snort-users,

I'm trying to run snort as an IPS under OpenBSD 5.3-current.
I see packets which are diverted by PF on snort and also at alert file.
But snort doesn't drop packets although it matches with rules; only logs to alert file.
I supply my config files and logs. Also i can send anything releated with this issue. 

Snort config
http://88.198.38.215/lteo/snort.conf

# cat /etc/rc.d/snort

#!/bin/sh
#
# $OpenBSD: snort.rc,v 1.1 2012/10/11 02:40:48 lteo Exp $

daemon="/usr/local/bin/snort -D -Q -k none"
daemon_flags="-c /etc/snort/snort.conf -u root -g wheel -t /var/snort -l /var/snort/log"

. /etc/rc.d/rc.subr

rc_cmd $1

# cat /etc/snort/rules/custom.rules

drop icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)
drop tcp any any -> any 80 (msg:"TCP Testing Rule"; sid:1000002; rev:1;)

Alert file
http://88.198.38.215/lteo/alert

# uname -a
OpenBSD snort.test.com 5.3 GENERIC.MP#127 i386

# snort --daq-dir /usr/local/lib/daq/ --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv

# snort -V

 ,,_ -*> Snort! <*-
 o" )~ Version 2.9.4.1 GRE (Build 69)
 '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
 Copyright (C) 1998-2013 Sourcefire, Inc., et al.
 Using OpenBSD libpcap
 Using PCRE version: 8.32 2012-11-30
 Using ZLIB version: 1.2.3

Can anyone help with this issue please?

--
Best regards
Driton Belushi

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort/ipfw daq doesn't drop packets under OpenBSD Driton Belushi (Apr 19)
- <Possible follow-ups>
- Re: Snort/ipfw daq doesn't drop packets under OpenBSD Driton Belushi (Apr 22)