[Snort-devel] [Snort-users] Updated IP Blacklisting patch (version 2)

Eoin Miller eoin.miller at ...3055...
Tue Aug 11 10:24:26 EDT 2009


Martin Roesch wrote:
> On Thu, Jul 23, 2009 at 12:10 PM, Eoin
> Miller<eoin.miller at ...3055...> wrote:
>   
>> Another thing we had been noticing is that the iplist preproc fires on the
>> initial SYN and the following SYN/ACK flagged packet that is responding
>> during the handshake. This (obviously) causes the number of logged events to
>> increase a good deal. So after some searching around, we updated
>> src/preprocessors/spp_iplist.c:
>>
>> Original:
>> void IpListEval(Packet *p, void *conext)
>> {
>> ...
>>   if(((IsTCP(p) && p->tcph->th_flags & TH_SYN)) || (IsUDP(p)) ||
>> (IsICMP(p)))
>> ...
>>
>>
>> Ours updated:
>> void IpListEval(Packet *p, void *conext)
>> {
>> ...
>>   if(((IsTCP(p) && (TCP_ISFLAGSET(p->tcph, TH_SYN) &&
>> !TCP_ISFLAGSET(p->tcph, TH_ACK))) || (IsUDP(p)) || (IsICMP(p))))
>> ...
>>
>>
>> After this, logging is cleaner:
>>
>> Before:
>> Access attempt from evil blacklisted IP address [**] [Priority: 0] {TCP}
>> 1.1.1.1:80 -> 2.2.2.2:80
>> Access attempt from evil blacklisted IP address [**] [Priority: 0] {TCP}
>> 2.2.2.2:80 -> 1.1.1.1:80
>>
>> After:
>> Access attempt from evil blacklisted IP address [**] [Priority: 0] {TCP}
>> 1.1.1.1:80 -> 2.2.2.2:80
>>
>> But I don't know if this was done specifically to match up with evasion
>> techniques or something?
>>     
>
> My thought was that if you're inline then you'll prevent on the SYN
> packet and you'll never get a SYN/ACK packet.  Is that not the case?
> Are you running inline or passive?
>
>
> Marty
>
>
>   
Ahh, OK. We run Snort in a completely passive fashion at the clients 
site. The small tweak I added helps us out a good deal (and should help 
others stuck in passive monitoring situations).

If we ran inline and blocked all the RBN stuff, then no one could load 
their pharmacy email spam images, and that would be just awful. ;)

-- Eoin




More information about the Snort-devel mailing list