Re: preprocessor drop packets issues

[Han Zhang <zhanghan0116 () gmail com>]

Hi Ed,

    Thank you for your reply.

    You are right, I need to run Snort in inline mode. Besides that, there
are two related functions I need to call, DisableAllDetect()
and Active_DropPacket().

    Function Active_DropPacket is used to drop the packets. When snort runs
as inline mode, the packets that are not dropped can be stored in the file
specified by "--daq-var file" from the command line.
    Function DisableAllDetect is used to disable the other detectors in
preprocessor as well as the rules in detection engine. If I don't use this
function, the dropped packets in preprocessor still go to the detection
engine and trigger the alerts, which is not I want to see.

    Finally, I solved the problem by calling these two functions

    Tons of thanks for your help.

Han




On Tue, Dec 10, 2013 at 12:03 PM, Ed Borgoyn (eborgoyn)
<eborgoyn () cisco com>wrote:

>  Hello Han,
>   Are you sure the Active_DropPacket() is being called?  Can you see this
> via a LogMessage() or perhaps the debugger?
>
>    Are you configured to be in INLINE mode?  This is necessary to permit
> Snort to drop packets.
>
>   Is all traffic being forwarded and you are not seeing the port==80
> packets dropped?  Is this your observation?
>
>      Ed
>
>
>   From: Han Zhang <zhanghan0116 () gmail com>
> Date: Friday, December 6, 2013 8:04 PM
> To: "snort-devel () lists sourceforge net" <snort-devel () lists sourceforge net
> >
> Subject: [Snort-devel] preprocessor drop packets issues
>
>
>  Hi all,
>
>           I'm currently writing a Snort preprocessor, which tries to drop
> some
> packets before it goes to the detection engine and triggers any rules. I
> tried function Active_DropPacket(); but it doesn't work.
>
>          I attached my code here, for test purpose, this code just drop
> all the HTTP packets. I could see output "Got a packet", which means this
> preprocessor was called. But it did not drop any HTTP packet. Was I using a
> wrong function to drop the packet? Any comment is appreciate.
>
>  static void Detection(Packet *p, void *context)
> {
>
>     TestConfig *entropy = NULL;
>
>      LogMessage("Got a packet\n");
>     sfPolicyUserPolicySet (entropy_config, getRuntimePolicy());
>     entropy = (EntropyConfig *)sfPolicyUserDataGetCurrent(entropy_config);
>
>      /* Not configured in this policy */
>     if (entropy == NULL)
>         return;
>
>      if(p->sp == 80)
>     {
>             Active_DropPacket();
>             //Active_ForceDropPacket();
>             //Active_ForceDropAction(p);
>             //Active_ForceDropSession();
>     }
>     return;
> }
>
>  --
> Thanks
> Han


-- 
Thanks
Han
------------------------------------------------------------
Department of Computer Science
Colorado State University
Fort Collins, CO, USA
------------------------------------------------------------

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!