Snort mailing list archives

Re: Multiple IPS action plugin problem

From: Özkan KIRIK via Snort-devel <snort-devel () lists snort org>
Date: Tue, 8 Sep 2020 07:00:34 +0300

Hello Russ,
Details are below:

Some related lines of snort boot messages that contains module load order :
--------------------------------------------------
o")~   Snort++ 3.0.1-5
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading file_magic.lua:
Finished file_magic.lua:
        ssh
        hosts
        host_cache
        pop
        so_proxy
        stream_tcp
        gtp_inspect
        packets
        dce_http_proxy
        stream_icmp
        normalizer
        ftp_server
        stream_udp
        alert_json
        ips
        search_engine
        classifications
        latency
        binder
        wizard
        ftp_data
        dce_smb
        smtp
        port_scan
        dce_http_server
        dce_tcp
        telnet
        ssl
        sip
        rpc_decode
        modbus
        http2_inspect
        host_tracker
        http_inspect
        stream_ip
        back_orifice
        rate_filter
        appid
        modifypacket_3
        modifypacket_1
        modifypacket_2
        process
        dnp3
        active
        ftp_client
        daq
        decode
        alerts
        stream
        references
        arp_spoof
        output
        network
        trace
        dns
        dce_udp
        imap
Finished /usr/local/etc/snort/snort.lua:
Loading ips.rules:
...

As you see above, modifypacket_2 is registered at last through .so actions.
I have added fprintf lines in each function in module for debugging and
gathering call history.

My ruleset (there only single rule):
modifypacket_1 icmp any any -> any any (msg:"icmp modify test"; sid;
123456;)

All actions are set as Action::ALERT in ActionApi struct in both
modifypacket_1.so, modifypacket_2.so and modifypacket_3.so
Matching rules are logged in alert_json file. But action is allow.
{ "seconds" : 1599452359, "proto" : "ICMP", "pkt_gen" : "raw", "dir" :
"C2S", "src_ap" : "192.168.58.100:0", "dst_ap" : "205.185.216.42:0", "rule"
: "1:123456:0", "msg" : "icmp modify test", "action" : "allow" }

Debug Log output:
mod_ctor: modifypacket_1
mod_ctor: modifypacket_2
mod_ctor: modifypacket_3
modifypacket3_act_ctor module_name: modifypacket_3 name: modifypacket_3
ModifyPacket3_Action::ModifyPacket_Action- act_name: modifypacket_3
modifypacket1_act_ctor module_name: modifypacket_1 name: modifypacket_1
ModifyPacket1_Action::ModifyPacket_Action- act_name: modifypacket_1
modifypacket2_act_ctor module_name: modifypacket_2 name: modifypacket_2
ModifyPacket2_Action::ModifyPacket_Action- act_name: modifypacket_2
ModifyPacket2_Action::exec - name: modifypacket_2
ModifyPacket2_Action::exec - name: modifypacket_2
ModifyPacket2_Action::exec - name: modifypacket_2
ModifyPacket2_Action::exec - name: modifypacket_2
...
...

As you see above, rule-action is modifypacket_1 and there is no rule for
modifypacket_2. But modifypacket_2's exec is called.
In brief, last loaded .so module's exec method is called for all
modifypacket_1, modifypacket_2 and modifypacket_3 rule actions.

I think there is something wrong in ActionManager::instantiate method. But
I'm not sure.
My guess is while registering plugin actions, instance pointers are
overwritten in somewhere.

Thanks
Özkan


On Tue, Sep 8, 2020 at 1:40 AM Russ Combs (rucombs) <rucombs () cisco com>
wrote:

Hi,

A rule has exactly one action.  Did you configure a rule for each of your
action types?  If those rules are set to alert, do they alert?

Russ

________________________________________
From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of
Özkan KIRIK via Snort-devel <snort-devel () lists snort org>
Sent: Sunday, September 6, 2020 11:31 PM
To: snort-devel () lists snort org
Subject: [Snort-devel] Multiple IPS action plugin problem

Hello,

I developed 3 example ips_action plugin using snort3_extra repository. (ie
modifypacket_1, modifypacket_2 , modifypacket_3).

In /usr/local/etc/snort/plugins folder;
- When single .so file exists, plugin works perfectly.
- When all of 3 .so files exists, only last registered one triggered for
both modifypacket_1,  modifypacket_2,  modifypacket_3 rules.

# snort --plugin-path /usr/local/etc/snort/plugins --list-plugins | grep
ips_action
ips_action::modifypacket_1 v0
/usr/local/etc/snort/plugins/act_modifypacket_1.so
ips_action::modifypacket_2 v0
/usr/local/etc/snort/plugins/act_modifypacket_2.so
ips_action::modifypacket_3 v0
/usr/local/etc/snort/plugins/act_modifypacket_3.so
ips_action::react v0 static
ips_action::reject v0 static
ips_action::rewrite v0 static

For debugging, I put log messages to mod_ctor and action_ctor functions.
In logs, All of 3 mod_ctor and action_ctor functions are called. But only
last registered .so file's Action::exec(Packet* p) method is called for all
the modifypacket_1,  modifypacket_2,  modifypacket_3 actions.
There is no common method and class names (except snort_plugins[]
variable) across all .so files.

I couldn't find there the bug is and how the other actions related to 1
Action::exec method.

Can you help to resolve this problem.
Regards

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 06)
- Re: Multiple IPS action plugin problem Russ Combs (rucombs) via Snort-devel (Sep 07)
  - Re: Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 07)
    - Re: Multiple IPS action plugin problem Tso-jie Ng (Sep 10)