Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: UDP packet supposedly DROPped, but seen by snor t anyway

From: Matt Yackley <Matt.Yackley () perkinswill com>
Date: Thu, 24 Oct 2002 11:23:35 -0500
Jan, it sounds like you are running Snort on the iptables box, AFAIK libpcap
grabs the packet when it hits the NIC, iptables is rejecting the packet but
that happens at a higher level than libpcap & snort work at.  
Others here will expand more but my guess as to why the TCP is not picked up
by snort is due to the way the rules are written and the way TCP connections
are handled.  Most rules for TCP type connections will require a 3way
handshake to be completed before something like a cmd.exe attempt is sent.
If this type of connection is blocked at the start it never gets to the
point of sending a packet that triggers the rule.  This UDP rule will
trigger with the first packet sent since it does not need a 3 way handshake
to be completed.

Anyway, that is my quick stab at this, everyone else please feel free to
correct me where I am wrong :)

Matt

-----Original Message-----
From: Jan Ploski [mailto:jpljpl () gmx de]
Sent: Thursday, October 24, 2002 10:23 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] UDP packet supposedly DROPped, but seen by snort
anyway


Hello,

I have the following rule in my Linux iptables configuration:

iptables -A block -m state --state NEW -p udp --dport 161 -j DROP

Basically, I want to ignore any traffic to UDP port 161. This rule
seems to work okay, i.e. it fires when a packet is sent to the said
port and the packet is never received by the process listening on
that port.

However, when I run snort in sniffer mode, I can see the packet
coming. It also triggers an alert (false positive in this case)
according to configured snort rules.

My question is, why can this UDP packet, supposedly already dropped
by the firewall, be sniffed at? This is not the case for any TCP
packets that have been DROPped.

Best regards -
Jan Ploski



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ad.doubleclick.net/clk;4729346;7592162;s?http://www.sun.com/javavote
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: