Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop

[Robert Greenhouse <rgreenhouse413 () gmail com>]

YM,

Available DAQ modules:
pcap(v3): readback live multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

We also changed the commandline to –Q –c we removed the frowad rules from the iptables and used icmp sid:389 in a Drop 
mode.
Snort is still not blocking?

Can you please help us solve this critical issue.

BTW Snort was compiled with  --enable-inline

Thanks,
Richard
 

From: Y M 
Sent: Friday, August 16, 2013 12:05 PM
To: Robert Greenhouse ; snort-users () lists sourceforge net 
Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is 
set to drop

If you run /snort/bin/snort --daq-list what is the output of the command?

What does your command look like after the changes? I would also separate the "-Qc" such as "-Q -c". -Q forces Snort 
into inline mode.


What rules are using to see that you are actually dropping? I would start with one and simple rule such as sid:389 
converting it to drop and test if you drop icmp. 


afpacket does not rely on iptables to drop packets. If you remove the forward rules from your iptables and test, what 
happens? We use afpacket and did not configure the iptables the way you did.


A helpful post on the VRT blog: http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html


p.s.: please post to the list as it is of everyones interest :)


Thanks.
YM


--------------------------------------------------------------------------------
From: rgreenhouse413 () gmail com
To: snort () outlook com; rgreenhouse413 () gmail com
Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is 
set to drop
Date: Fri, 16 Aug 2013 10:25:30 -0400


Thank you for your response.
I removed "--treat-drop-as-alert”, but we are still not blocking?
Can you suggest any other action I can take?

Thanks,
Richard


From: Y M 
Sent: Thursday, August 15, 2013 6:36 PM
To: Robert Greenhouse 
Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is 
set to drop

I see from the command that you are using "--treat-drop-as-alert", is there a reason for that? Have a look at the last 
table on  http://manual.snort.org/node11.html from Snort's online documentation: 

Adapter Mode    |                   Snort args                           |    config policy_mode   |   Drop Rule 
Handling
   Inline                             -Q -treat-drop-as-alert                                 inline                    
              Alert


--------------------------------------------------------------------------------
From: rgreenhouse413 () gmail com
To: snort () outlook com
Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is 
set to drop
Date: Thu, 15 Aug 2013 18:28:12 -0400


Thanks, Much appreciated. 
I have done what you suggested, but I am still not blocking. Here is the command line:

/snort/bin/snort -Qc /snort/etc/snort.conf –d --treat-drop-as-alert --daq afpacket --daq-mode inline --daq-dir 
/snort/daq/lib64/daq –l  /snort/logs -i eth0:eth1 --daq-var buffer_size_mb=512 --daq-var debug &

Here is our iptables:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT

And I have modified snort.conf to include:

config policy_mode:inline

Your help is much appreciated..

Thanks,
Richard



From: Y M 
Sent: Thursday, August 15, 2013 5:16 PM
To: Robert Greenhouse ; snort-users () lists sourceforge net 
Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is 
set to drop


Sorry I missed that --> you also need to add the -Q to your command.


--------------------------------------------------------------------------------
To: rgreenhouse413 () gmail com; snort-users () lists sourceforge net
From: snort () outlook com
Date: Fri, 16 Aug 2013 00:08:55 +0300
Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is 
set to drop


Does adding --daq-mode inline to your command and config policy_mode:inline to your snort configuration file change the 
behavior?


--------------------------------------------------------------------------------
From: Robert Greenhouse
Sent: ‎8/‎15/‎2013 11:45 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set 
to drop


Hi,
snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop?
We have our system setup to inline mode using afpacket (./snort --daq afpacket -i eth0:eth1).

Also have iptables configured to: 

iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

Why doesn’t snort drop the packet when the rule fires?

This is a major problem

Thanks,
Richard


------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code 
with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for 
bottlenecks, with 
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to 
stay current on all the latest Snort news!
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code 
with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for 
bottlenecks, with 
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to 
stay current on all the latest Snort news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!