Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: packet modifications not working

From: Joel Esler <eslerj () gmail com>
Date: Thu, 2 Jun 2005 10:44:25 -0400
you may want to take this over to the snort_inline list.  They may be
able to answer your question more accurately.

Joel

On 5/31/05, eboehnlein () aol com <eboehnlein () aol com> wrote:


Problem:  snort_inline modified packets are not being forwarded, instead it
appears the original unaltered packet is being forwarded.  Also, dropped
packets rules when triggered make either snort_inline and/or the sending
workstation hang. 
  
Background: 
Running Suse linux 9.0 (i586) - Kernel 2.4.30       
with  patch ebtables-brnf-9_vs_2.4.30.diff
      iptables-1.2.8
      libpcap-0.8.3 
      pcre-5.0
      libnet-1.0.2a 
      snort-2.3.3 
--- snort NID with the above configuration  works this point:  rules are
triggered and events are logged --- then include the following --- 
  
      iptables-1.3.1 
      bridge-utils-1.0.4 
      snort_inline-2.3.0-RC1
      bridge script to define bridge [eth1+eth2]=br0
              ## clear iptables
   $IPTABLES -F
   $IPTABLES -A FORWARD -j QUEUE 
              ## turn forwrding off
                 $ECHO 0 > /proc/sys/net/ipv4/ip_forward 
      The ip queue module is loaded by executing:
  insmod ip_queue
      
Start snort 
  >snort_inline -v -Q -c
/etc/snort_inline/snort_inline.conf 
  
--- at this point snort inline is active  and traffic is passing through
bridge both direcitons --alerts are logged -- replace and drop not working
but actions are logged ++ 
----------------------------------------------------- 
Snort Rules Are defined to trigger on a HTTP query from a network:
      + Alert when any HTTP traffic is sent from workstation segment --
successfully alerts and logs.
      + Alert and replace content when a specific word is being used --
successfully alerts and logs.
     
Symptoms: [Verified using traces and dumps]
     + all unaltered traffic flows both ways over the bridge
     + snort_inline alert rules are triggered and logged - (using content
rules)
     + snort_inline alert/replace rules are triggered and logged; however,
it appears the it is the original(unaltered) packet that being forwarded. 
  
I suspect that snort_inline (via libnet) is not handling the modified packet
correctly. I have recompiled and reconfigured the kernel and all the
software several times with no apparent errors being generated. 
Any thoughts how to proceed from here? 
  
Ed
           
                
 



-- 
Joel Esler
BASE Project Lead
http://sourceforge.net/projects/secureideas


-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: