Re: Snort 2.9.6.2 inline mode problem

[Y M <snort () outlook com>]

inline.
Date: Sun, 24 Aug 2014 05:02:13 +0200
From: demonsdebason () gmail com
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort 2.9.6.2 inline mode problem

Hi all.
I've been working on my Snort IPS for some time now. 
Noticed that 'drop' rules are working half-way, I have set the test rule to drop ICMP coming to the sensor from local 
machine:


drop icmp 192.168.1.2 any -> 192.168.1.1 any (msg: "Test rule"; sid:110011;)

Alerts get logged and can view them via BASE, but when I ping from .2 to .1 I get this:
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.


64 bytes from 192.168.1.1 : icmp_seq=1 ttl=64 time=0.216 ms
> From 192.168.1.1 icmp_seq=1 Destination Port Unreachable

64 bytes from 192.168.1.1 : icmp_seq=2 ttl=64 time=0.269 ms

> From 192.168.1.1 icmp_seq=2 Destination Port Unreachable
64 bytes from 192.168.1.1 : icmp_seq=3 ttl=64 time=0.221 ms


So some of them are getting 'blocked'.


When I shutdown Snort I's all fine:
64 bytes from 192.168.1.1 : icmp_seq=8 ttl=64 time=0.226 ms
64 bytes from 192.168.1.1
 : icmp_seq=9 ttl=64 time=0.201 ms

64 bytes from 192.168.1.1 : icmp_seq=10 ttl=64 time=0.253 ms
64 bytes from 192.168.1.1
 : icmp_seq=11 ttl=64 time=0.204 ms

Here is my info:


   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.2 GRE (Build 77) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team


           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05


           Using ZLIB version: 1.2.3
+++++++++++++++++++++++++++
snort   
 41104  4.6  2.0 1675528 1342832 ?     Ssl  04:48   0:00 /usr/sbin/snort
 -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf -Q 
--daq-mode inline -k none

+++++++++++++++++++++++++++
# Looks like you have double colons "eth1::eth2", as opposed to one colon "eth1:eth2". Not sure if the double colons 
are causing the partial drops.

snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv



++++++++++++++++++++++++++
snort.conf:
config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline

config daq_var: buffer_size_mb=1024


I've tried dropping all the ICMPs in the iptables, results are as expected, but Snort still logs the alerts.
Do you have any idea what is the issue here?
# Does Snort log the requests or replies or both? I would image if the NIC is promiscuous, then it would still see the 
requests. 

-- 
Aut viam inveniam aut faciam
:wq!



------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!