Snort mailing list archives
Re: Multiple IPS action plugin problem
From: Özkan KIRIK via Snort-devel <snort-devel () lists snort org>
Date: Tue, 8 Sep 2020 07:00:34 +0300
Hello Russ, Details are below: Some related lines of snort boot messages that contains module load order : -------------------------------------------------- o")~ Snort++ 3.0.1-5 -------------------------------------------------- Loading /usr/local/etc/snort/snort.lua: Loading file_magic.lua: Finished file_magic.lua: ssh hosts host_cache pop so_proxy stream_tcp gtp_inspect packets dce_http_proxy stream_icmp normalizer ftp_server stream_udp alert_json ips search_engine classifications latency binder wizard ftp_data dce_smb smtp port_scan dce_http_server dce_tcp telnet ssl sip rpc_decode modbus http2_inspect host_tracker http_inspect stream_ip back_orifice rate_filter appid modifypacket_3 modifypacket_1 modifypacket_2 process dnp3 active ftp_client daq decode alerts stream references arp_spoof output network trace dns dce_udp imap Finished /usr/local/etc/snort/snort.lua: Loading ips.rules: ... As you see above, modifypacket_2 is registered at last through .so actions. I have added fprintf lines in each function in module for debugging and gathering call history. My ruleset (there only single rule): modifypacket_1 icmp any any -> any any (msg:"icmp modify test"; sid; 123456;) All actions are set as Action::ALERT in ActionApi struct in both modifypacket_1.so, modifypacket_2.so and modifypacket_3.so Matching rules are logged in alert_json file. But action is allow. { "seconds" : 1599452359, "proto" : "ICMP", "pkt_gen" : "raw", "dir" : "C2S", "src_ap" : "192.168.58.100:0", "dst_ap" : "205.185.216.42:0", "rule" : "1:123456:0", "msg" : "icmp modify test", "action" : "allow" } Debug Log output: mod_ctor: modifypacket_1 mod_ctor: modifypacket_2 mod_ctor: modifypacket_3 modifypacket3_act_ctor module_name: modifypacket_3 name: modifypacket_3 ModifyPacket3_Action::ModifyPacket_Action- act_name: modifypacket_3 modifypacket1_act_ctor module_name: modifypacket_1 name: modifypacket_1 ModifyPacket1_Action::ModifyPacket_Action- act_name: modifypacket_1 modifypacket2_act_ctor module_name: modifypacket_2 name: modifypacket_2 ModifyPacket2_Action::ModifyPacket_Action- act_name: modifypacket_2 ModifyPacket2_Action::exec - name: modifypacket_2 ModifyPacket2_Action::exec - name: modifypacket_2 ModifyPacket2_Action::exec - name: modifypacket_2 ModifyPacket2_Action::exec - name: modifypacket_2 ... ... As you see above, rule-action is modifypacket_1 and there is no rule for modifypacket_2. But modifypacket_2's exec is called. In brief, last loaded .so module's exec method is called for all modifypacket_1, modifypacket_2 and modifypacket_3 rule actions. I think there is something wrong in ActionManager::instantiate method. But I'm not sure. My guess is while registering plugin actions, instance pointers are overwritten in somewhere. Thanks Özkan On Tue, Sep 8, 2020 at 1:40 AM Russ Combs (rucombs) <rucombs () cisco com> wrote:
Hi, A rule has exactly one action. Did you configure a rule for each of your action types? If those rules are set to alert, do they alert? Russ ________________________________________ From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Özkan KIRIK via Snort-devel <snort-devel () lists snort org> Sent: Sunday, September 6, 2020 11:31 PM To: snort-devel () lists snort org Subject: [Snort-devel] Multiple IPS action plugin problem Hello, I developed 3 example ips_action plugin using snort3_extra repository. (ie modifypacket_1, modifypacket_2 , modifypacket_3). In /usr/local/etc/snort/plugins folder; - When single .so file exists, plugin works perfectly. - When all of 3 .so files exists, only last registered one triggered for both modifypacket_1, modifypacket_2, modifypacket_3 rules. # snort --plugin-path /usr/local/etc/snort/plugins --list-plugins | grep ips_action ips_action::modifypacket_1 v0 /usr/local/etc/snort/plugins/act_modifypacket_1.so ips_action::modifypacket_2 v0 /usr/local/etc/snort/plugins/act_modifypacket_2.so ips_action::modifypacket_3 v0 /usr/local/etc/snort/plugins/act_modifypacket_3.so ips_action::react v0 static ips_action::reject v0 static ips_action::rewrite v0 static For debugging, I put log messages to mod_ctor and action_ctor functions. In logs, All of 3 mod_ctor and action_ctor functions are called. But only last registered .so file's Action::exec(Packet* p) method is called for all the modifypacket_1, modifypacket_2, modifypacket_3 actions. There is no common method and class names (except snort_plugins[] variable) across all .so files. I couldn't find there the bug is and how the other actions related to 1 Action::exec method. Can you help to resolve this problem. Regards
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 06)
- Re: Multiple IPS action plugin problem Russ Combs (rucombs) via Snort-devel (Sep 07)
- Re: Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 07)
- Re: Multiple IPS action plugin problem Tso-jie Ng (Sep 10)
- Re: Multiple IPS action plugin problem Özkan KIRIK via Snort-devel (Sep 07)
- Re: Multiple IPS action plugin problem Russ Combs (rucombs) via Snort-devel (Sep 07)