[Snort-devel] Rules with threshold don't work in inline mode

Jason Brvenik jasonb at ...402...
Sat Feb 28 10:54:55 EST 2009


This is not a design problem per se, perhaps a documentation problem.
Thresholding has always been intended to be a post detection action,
not a pre-detection action. I know that there are some changes under
consideration to enhance the capabilities so that you can make
pre-action thresholds but I do not know the status.

I applaud your effort to try to change the way it behaves, as you note
it is a non-trivial effort. All I can recommend is patience for now.

On Sat, Feb 28, 2009 at 5:13 AM, Eric Leblond <eric at ...3013...> wrote:
> Hi,
>
> A design problem causes a failure in the handling of rules with
> threshold and drop decision which are dropping all the packets.
>
> When doing some test of inline mode, I've encountered a problem with the
> following rule:
> drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SSH Scan"; flags:S;
> threshold: type threshold, track by_src, count 5, seconds 120;
> classtype: attempted-recon; r sid: 2001219; rev:16;)
>
> The rule is blocking all SYN packets to port 22 because of the following
> lines in fpdetect.c:
>
> if( !sfthreshold_test( otn->event_data.sig_generator, ...)) {
> /*
> ** If InlineMode is on, then we still want to drop packets
> ** that are drop rules. We just don't want to see the alert.
> */
>        if(InlineMode())
>        {
>                if(rtn->type == RULE_DROP || rtn->type == RULE_SDROP)
>                InlineDrop(p);
>        }
>        return 1; /* Don't log it ! */
> }
>
> The problem is that for every packet but the fith one (in a 120 sec
> delay), sfthreshold_test() return 0 to avoid logging and the packet get
> dropped.
>
> Thus in inline mode, any rule using a threshold and a drop decision is
> dropping every packets.
>
> I've tried to fix this but the code modifications have to be done deep
> into the threshold subsystem (each function return has to be carefully
> choosen, and no ! operator can be used).
>
> As I'm not familiar with the code, there may be an easier solution. Any
> tips or help are welcome.
>
> BR,
> --
> Eric Leblond <eric at ...3013...>
> INL: http://www.inl.fr/
> NuFW: http://www.nufw.org/
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list