Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: UDP packet supposedly DROPped, but seen by snort anyway

From: Jan Ploski <jpljpl () gmx de>
Date: Thu, 24 Oct 2002 18:41:34 +0200 (CEST)
On Thu, Oct 24, 2002 at 11:23:35AM -0500, Matt Yackley wrote:

Jan, it sounds like you are running Snort on the iptables box, AFAIK libpcap
grabs the packet when it hits the NIC, iptables is rejecting the packet but
that happens at a higher level than libpcap & snort work at.  
Others here will expand more but my guess as to why the TCP is not picked up
by snort is due to the way the rules are written and the way TCP connections
are handled.  Most rules for TCP type connections will require a 3way
handshake to be completed before something like a cmd.exe attempt is sent.
If this type of connection is blocked at the start it never gets to the
point of sending a packet that triggers the rule.  This UDP rule will
trigger with the first packet sent since it does not need a 3 way handshake
to be completed.

Anyway, that is my quick stab at this, everyone else please feel free to
correct me where I am wrong :)


Matt,

you are entirely correct, and I have also received similiar suggestions
from other people on this list via private email (thanks again!).
The TCP SYN packet used to establish a connection indeed makes it
through to snort, much like the UDP packet. Too bad I did not check
this before posting... :-(

As someone else suggested: "write a pass rule for it or you can
use a bpf filter (not udp port 161) to ignore the traffic". This is
indeed a good solution, as I know that port 161 is closed on the
monitored box.

Best regards -
Jan Ploski



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: