Snort mailing list archives
Re: preprocessor drop packets issues
From: Han Zhang <zhanghan0116 () gmail com>
Date: Tue, 10 Dec 2013 12:29:29 -0700
Hi Ed, Thank you for your reply. You are right, I need to run Snort in inline mode. Besides that, there are two related functions I need to call, DisableAllDetect() and Active_DropPacket(). Function Active_DropPacket is used to drop the packets. When snort runs as inline mode, the packets that are not dropped can be stored in the file specified by "--daq-var file" from the command line. Function DisableAllDetect is used to disable the other detectors in preprocessor as well as the rules in detection engine. If I don't use this function, the dropped packets in preprocessor still go to the detection engine and trigger the alerts, which is not I want to see. Finally, I solved the problem by calling these two functions Tons of thanks for your help. Han On Tue, Dec 10, 2013 at 12:03 PM, Ed Borgoyn (eborgoyn) <eborgoyn () cisco com>wrote:
Hello Han, Are you sure the Active_DropPacket() is being called? Can you see this via a LogMessage() or perhaps the debugger? Are you configured to be in INLINE mode? This is necessary to permit Snort to drop packets. Is all traffic being forwarded and you are not seeing the port==80 packets dropped? Is this your observation? Ed From: Han Zhang <zhanghan0116 () gmail com> Date: Friday, December 6, 2013 8:04 PM To: "snort-devel () lists sourceforge net" <snort-devel () lists sourceforge netSubject: [Snort-devel] preprocessor drop packets issues Hi all, I'm currently writing a Snort preprocessor, which tries to drop some packets before it goes to the detection engine and triggers any rules. I tried function Active_DropPacket(); but it doesn't work. I attached my code here, for test purpose, this code just drop all the HTTP packets. I could see output "Got a packet", which means this preprocessor was called. But it did not drop any HTTP packet. Was I using a wrong function to drop the packet? Any comment is appreciate. static void Detection(Packet *p, void *context) { TestConfig *entropy = NULL; LogMessage("Got a packet\n"); sfPolicyUserPolicySet (entropy_config, getRuntimePolicy()); entropy = (EntropyConfig *)sfPolicyUserDataGetCurrent(entropy_config); /* Not configured in this policy */ if (entropy == NULL) return; if(p->sp == 80) { Active_DropPacket(); //Active_ForceDropPacket(); //Active_ForceDropAction(p); //Active_ForceDropSession(); } return; } -- Thanks Han
-- Thanks Han ------------------------------------------------------------ Department of Computer Science Colorado State University Fort Collins, CO, USA ------------------------------------------------------------
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- preprocessor drop packets issues Han Zhang (Dec 10)
- Re: preprocessor drop packets issues Ed Borgoyn (eborgoyn) (Dec 11)
- Re: preprocessor drop packets issues Han Zhang (Dec 11)
- Re: preprocessor drop packets issues Ed Borgoyn (eborgoyn) (Dec 11)