Snort mailing list archives
RE: UDP packet supposedly DROPped, but seen by snor t anyway
From: Matt Yackley <Matt.Yackley () perkinswill com>
Date: Thu, 24 Oct 2002 11:23:35 -0500
Jan, it sounds like you are running Snort on the iptables box, AFAIK libpcap grabs the packet when it hits the NIC, iptables is rejecting the packet but that happens at a higher level than libpcap & snort work at. Others here will expand more but my guess as to why the TCP is not picked up by snort is due to the way the rules are written and the way TCP connections are handled. Most rules for TCP type connections will require a 3way handshake to be completed before something like a cmd.exe attempt is sent. If this type of connection is blocked at the start it never gets to the point of sending a packet that triggers the rule. This UDP rule will trigger with the first packet sent since it does not need a 3 way handshake to be completed. Anyway, that is my quick stab at this, everyone else please feel free to correct me where I am wrong :) Matt -----Original Message----- From: Jan Ploski [mailto:jpljpl () gmx de] Sent: Thursday, October 24, 2002 10:23 AM To: snort-users () lists sourceforge net Subject: [Snort-users] UDP packet supposedly DROPped, but seen by snort anyway Hello, I have the following rule in my Linux iptables configuration: iptables -A block -m state --state NEW -p udp --dport 161 -j DROP Basically, I want to ignore any traffic to UDP port 161. This rule seems to work okay, i.e. it fires when a packet is sent to the said port and the packet is never received by the process listening on that port. However, when I run snort in sniffer mode, I can see the packet coming. It also triggers an alert (false positive in this case) according to configured snort rules. My question is, why can this UDP packet, supposedly already dropped by the firewall, be sniffed at? This is not the case for any TCP packets that have been DROPped. Best regards - Jan Ploski ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: UDP packet supposedly DROPped, but seen by snor t anyway Matt Yackley (Oct 24)