Re: snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is set to drop

[Y M <snort () outlook com>]

What is the order of your rules processing? In our setup we kept our processing order intact. Try using sid:384 (thats 
what I meant originally).

From: rgreenhouse413 () gmail com
To: rgreenhouse413 () gmail com; snort-users () lists sourceforge net; snort () outlook com
Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even when RULE is 
set to drop
Date: Fri, 16 Aug 2013 17:20:03 -0400






YM,
 
YM>If you run snort in inline mode with the same setup you have, do you 
see packets passing through and alerts are being generated for your rule? 
RG> Yes
 
YM>Have you changed rules processing order?
RG>Yes
 
YM>Please post the command you are using to run Snort and the rule you 
are using for testing drops.
RG>/snort/bin/ssnort -Q -c /snort/etc/ssnort.conf -d --daq afpacket 
--daq-mode inline --daq-dir /snort/daq/lib64/daq -l /snort/logs -i eth0:eth1 
--daq-var buffer_size_mb=512 --daq-var debug &

Test rule:
 
drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address 
Mask Request undefined code"; icode:>0; itype:17; metadata:ruleset community; 
classtype:misc-activity; sid:389; rev:10;)
 
Thanks for all your help, hopefully you can guide us to the bottom of this 
critical problem.
 
Thanks,
Richard
 
 
 
 


 

From: Y M 
Sent: Friday, August 16, 2013 3:21 PM
To: Robert Greenhouse ; snort-users () lists sourceforge net 

Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline 
mode snort fails to drop packets even when RULE is set to drop
 


Sorry for the 
noise, I meant if you run Snort in passive mode with the same setup you 
have.


From: 
Y M
Sent: 
‎8/‎16/‎2013 9:53 
PM
To: 
Robert Greenhouse; snort-users () lists sourceforge net
Subject: 
RE: 
[Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop 
packets even when RULE is set to drop







If I recall, --enable-inline is deprecated since a while now, not 
sure which Snort version; A warning should have been shown during compilation. 
But I do not think that this would affect operating in inline mode now.
 
If you run snort in inline mode with the same setup you have, do 
you see packets passing through and alerts are being generated for your rule? 

 
Have you changed rules processing order?
 
Please post the command you are using to run Snort and the rule you 
are using for testing drops.




From: rgreenhouse413 () gmail com
To: snort () outlook com; 
rgreenhouse413 () gmail com; snort-users () lists sourceforge net
Subject: Re: 
[Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop 
packets even when RULE is set to drop
Date: Fri, 16 Aug 2013 14:08:01 
-0400






YM,
 
Available DAQ modules:
pcap(v3): readback live multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
 
We also changed the commandline to –Q –c we removed the frowad rules from 
the iptables and used icmp sid:389 in a Drop mode.
Snort is still not blocking?
 
Can you please help us solve this critical issue.
 
BTW Snort was compiled with  --enable-inline
 
Thanks,
Richard



 

From: Y 
M 
Sent: Friday, August 16, 2013 12:05 PM
To: Robert Greenhouse ; snort-users () lists sourceforge net 

Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline 
mode snort fails to drop packets even when RULE is set to drop
 


If you run /snort/bin/snort --daq-list what 
is the output of the command?

What does your command look like after the changes? I 
would also separate the "-Qc" such as "-Q -c". -Q forces Snort into inline 
mode.


What rules are using to see that you are actually dropping? I would start 
with one and simple rule such as sid:389 converting it to drop and test if you 
drop icmp. 


afpacket does not rely on iptables to drop 
packets. If you remove the forward rules from your iptables and test, what 
happens? We use afpacket and did not configure the iptables the way you 
did.


A helpful post on the VRT blog: http://vrt-blog.snort.org/2010/08/snort-29-essentials-daq.html


p.s.: please post to the list as it is of 
everyones interest :)


Thanks.
YM

 


From: rgreenhouse413 () gmail com
To: snort () outlook com; 
rgreenhouse413 () gmail com
Subject: Re: [Snort-users] snort-2.9.4, daq 2.0.1 
afpacket in inline mode snort fails to drop packets even when RULE is set to 
drop
Date: Fri, 16 Aug 2013 10:25:30 -0400






Thank you for your response.
I removed "--treat-drop-as-alert”, but we are 
still not blocking?
Can you suggest any other 
action I can take?
 
Thanks,
Richard
 


 

From: Y 
M 
Sent: Thursday, August 15, 2013 6:36 PM
To: Robert Greenhouse 
Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline 
mode snort fails to drop packets even when RULE is set to drop
 

I see from the command that you are using "--treat-drop-as-alert", is there 
a reason for that? Have a look at the last table on  http://manual.snort.org/node11.html from Snort's online 
documentation: 
 
Adapter Mode    
|                   
Snort 
args                           
|    config policy_mode   |   Drop Rule 
Handling
   
Inline                             
-Q 
-treat-drop-as-alert                                 
inline                                  
Alert

 


From: rgreenhouse413 () gmail com
To: snort () outlook com
Subject: Re: 
[Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop 
packets even when RULE is set to drop
Date: Thu, 15 Aug 2013 18:28:12 
-0400






Thanks, Much appreciated. 
I have done what you suggested, but I am still not blocking. Here is the 
command line:
 
/snort/bin/snort -Qc /snort/etc/snort.conf –d --treat-drop-as-alert --daq 
afpacket --daq-mode inline --daq-dir /snort/daq/lib64/daq –l  /snort/logs 
-i eth0:eth1 --daq-var buffer_size_mb=512 --daq-var debug &
 
Here is our iptables:
 
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT
 
And I have modified snort.conf to include:
 
config policy_mode:inline
 
Your help is much appreciated..
 
Thanks,
Richard
 
 


 

From: Y 
M 
Sent: Thursday, August 15, 2013 5:16 PM
To: Robert Greenhouse ; snort-users () lists sourceforge net 

Subject: RE: [Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline 
mode snort fails to drop packets even when RULE is set to drop
 


Sorry I missed that --> you also need to add the -Q to your 
command.



To: rgreenhouse413 () gmail com; snort-users () lists sourceforge net
From: 
snort () outlook com
Date: Fri, 16 Aug 2013 00:08:55 +0300
Subject: Re: 
[Snort-users] snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop 
packets even when RULE is set to drop



Does adding 
--daq-mode inline to your command and config policy_mode:inline to your snort 
configuration file change the behavior?



From: 
Robert Greenhouse
Sent: 
‎8/‎15/‎2013 11:45 
PM
To: 
snort-users () lists sourceforge net
Subject: 
[Snort-users] 
snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets even 
when RULE is set to drop





Hi,
snort-2.9.4, daq 2.0.1 afpacket in inline mode snort fails to drop packets 
even when RULE is set to drop?
We have our system setup to inline mode using afpacket (./snort --daq 
afpacket -i eth0:eth1).
 
Also have iptables configured to: 
 
iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT
 
echo 1 > /proc/sys/net/ipv4/ip_forward
 
Why doesn’t snort drop the packet when the rule fires?
 
This is a major problem
 
Thanks,
Richard
 
------------------------------------------------------------------------------ 
Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free 
troubleshooting tool designed for production. Get down to code-level detail for 
bottlenecks, with 
_______________________________________________ 
Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to 
change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list 
archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
Please visit http://blog.snort.org to stay current on all the latest Snort 
news!
------------------------------------------------------------------------------ 
Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free 
troubleshooting tool designed for production. Get down to code-level detail for 
bottlenecks, with 
_______________________________________________ 
Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to 
change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list 
archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
Please visit http://blog.snort.org to stay current on all the latest Snort 
news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!