Snort mailing list archives
Re: Snort++: Bugs?
From: Russ <rucombs () cisco com>
Date: Wed, 29 Apr 2015 10:02:46 -0400
Unable to reproduce the second issue below. Can you provide more details (like conf, command line, pcap)? Thanks Russ On 4/27/15 8:04 AM, Russ wrote:
Thanks, comments below. On 4/27/15 7:39 AM, Sancho Panza wrote:Hello, I've noticed some strange things which I think are bugs: 1: Running Snort in Inline Mode, I have to specify an interface so as to let Snort know I don't just want to perform a test run (which Russ already said is a bug). But: The interface name provided is later written into DAQ_Config_t cfg.name (see DAQ_New() in packet_io). Alas, the daq_nfq.c module won't accept that (nfq_daq_initialize in os-daq-modules/daq_nfs.c): if(cfg->name && *(cfg->name)) { snprintf(errBuf, errMax, "The nfq DAQ module does not support interface or readback mode!"); return DAQ_ERROR_INVAL; }Not surprised there. We'll get this one fixed ASAP.2) After fixing (1) for myself, I wanted to test the Inline Mode. I defined a rule as simple as: drop ip any any -> any any ( msg:"Drop Test"; classtype:trojan-activity; sid:424242; rev:5; ) Then I tried to send ICMP ECHO REQUEST packets from host A to host B. The packets were indeed dropped, but I wouldn't see the alert. After adding some debug statements, I came across the following piece of code in fpLogEvent(...) (file fpdetect.cc):Will look into this.if ((p->packet_flags & PKT_STREAM_UNEST_UNI) && ScAssureEstablished() && (!(p->packet_flags & PKT_REBUILT_STREAM)) && (otn->stateless == 0)) { // We still want to drop packets that are drop rules. // We just don't want to see the alert. if ( block_action(rtn->type) ) Active_DropSession(p); fpLogOther(p, rtn, otn, rtn->type); return 1; } It turns out my ICMP echo request packets weren't considered "established". So after some more searching in the code, I came across the two possibilities I had to avoid this code path. The first consists of adding "flow: stateless" to the rule definition - that works fine. The second consists of setting the "stateful" parameter of the "alerts" module to "false". Just looking at the definition of alerts_params in main/modules.cc, you would think the "stateful" option is disabled by default: { "stateful", Parameter::PT_BOOL, nullptr, "false", "don't alert w/o established session (note: rule action still taken)" },This is a known issue.Alas, the default "false" definition seems to have no effect at all! What's worse, in your snort.lua, you can't even say: alerts = { stateful: false } Well, you CAN say it, but a quick look at AlertsModule::set (file main/modules.cc) reveals that no matter what actual *value* you specify, the option will always be enabled: else if ( v.is("stateful") ) { //NOTE: no check for true or false!!! sc->run_flags |= RUN_FLAG__ASSURE_EST; } ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort++: Bugs? Sancho Panza (Apr 27)
- Re: Snort++: Bugs? Russ (Apr 27)
- Re: Snort++: Bugs? Russ (Apr 29)
- Re: Snort++: Bugs? Sancho Panza (Apr 29)
- Re: Snort++: Bugs? Russ (Apr 30)
- Re: Snort++: Bugs? Sancho Panza (May 04)
- Re: Snort++: Bugs? Russ (May 04)
- Re: Snort++: Bugs? Russ (Apr 29)
- Re: Snort++: Bugs? Russ (Apr 27)