Snort mailing list archives
Odp: Re: snort with daq inline mode problem
From: pawelsw1 <pawelsw1 () o2 pl>
Date: Tue, 03 Apr 2018 09:50:55 +0200
I have snort on machine with two L3 interfaces and i started snort in inline mode, but i see in wireshark only tcp
reset. My rules are set to drop connection. I don't understand why the connection isn't dropping? Support daq
module L3 interfaces? Maybe i should to start snort on machine with L2 Interfaces in transparent mode?
Dnia 3 kwietnia 2018 06:33 Joel Esler (jesler) <jesler () cisco com> napisał(a):
Tcp resets are not good for attempting to stop a session in progress, since you are essentially creating a race
condition, hoping the RST gets to the machine in question before the ACK packet does.
Our stance has been, and will remain you use Snort in IPS mode and simply drop the connection.
--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
www.talosintelligence.com www.talosintelligence.com
On Mar 31, 2018, at 4:14 AM, pawelsw1 () o2 pl wrote:
Hello,
I have problem with snort. I see in log that he is dropping connection but tcp reset is sending after the operation is
completed (create or drop table in database). I have rule that is checking that table in database id drop or create.
Could You help me?
drop tcp any any -> any 3306 (msg:"Block SQL Command : CREATE TABLE"; flow:from_client,established;
content: "CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052203)
snort -c /etc/snort/snort.conf -Q -i eth0:eth1 -A console
[ Number of patterns truncated to 20 bytes: 0 ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth0:eth1".
Reload thread starting...
Reload thread started, thread 0x7f393bb31700 (11945)
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.11.1 GRE (Build 268)
'''' By Martin Roesch & The Snort Team: www.snort.org www.snort.org
Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 8.32 2012-11-30
Using ZLIB version: 1.2.7
Rules Engine: SF_SNORT_DETECTION_ENGINE Version 3.0 <Build 1>
Preprocessor Object: SF_SSH Version 1.1 <Build 3>
Preprocessor Object: SF_SMTP Version 1.1 <Build 9>
Preprocessor Object: SF_SIP Version 1.1 <Build 1>
Preprocessor Object: SF_SDF Version 1.1 <Build 1>
Preprocessor Object: SF_REPUTATION Version 1.1 <Build 1>
Preprocessor Object: SF_POP Version 1.0 <Build 1>
Preprocessor Object: SF_MODBUS Version 1.1 <Build 1>
Preprocessor Object: SF_IMAP Version 1.0 <Build 1>
Preprocessor Object: SF_GTP Version 1.1 <Build 1>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 4>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 13>
Preprocessor Object: SF_DNS Version 1.1 <Build 4>
Preprocessor Object: SF_DNP3 Version 1.1 <Build 1>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 3>
Commencing packet processing (pid=11936)
Decoding Ethernet
03/30-22:13:04.167644 [Drop] [**] [1:65000004:0] Block SQL Command : DROP TABLE [**] [Priority: 0] {TCP}
10.0.0.19:63496 -> 10.0.0.17:3306
03/30-22:13:04.167633 [Drop] [**] [1:65000004:0] Block SQL Command : DROP TABLE [**] [Priority: 0] {TCP}
10.100.64.8:63496 -> 10.7.159.14:3306
www.avast.com
Wolny od wirusów. www.avast.com www.avast.com
______________________________
Snort-users
mailing list
Snort-users () lists snort org
Go
to this URL to change user options or unsubscribe:
lists.snort.org lists.snort.org
Please
visit blog.snort.org blog.snort.org to
stay current on all the latest Snort news!
Please
follow these rules: snort.org snort.org
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: snort with daq inline mode problem Joel Esler (jesler) via Snort-users (Apr 02)
- Odp: Re: snort with daq inline mode problem pawelsw1 (Apr 03)