[Snort-devel] preprocessor drop packets issues

Ed Borgoyn (eborgoyn) eborgoyn at ...3461...
Tue Dec 10 14:03:47 EST 2013


Hello Han,
  Are you sure the Active_DropPacket() is being called?  Can you see this via a LogMessage() or perhaps the debugger?

  Are you configured to be in INLINE mode?  This is necessary to permit Snort to drop packets.

 Is all traffic being forwarded and you are not seeing the port==80 packets dropped?  Is this your observation?

    Ed


From: Han Zhang <zhanghan0116 at ...2499...<mailto:zhanghan0116 at ...2499...>>
Date: Friday, December 6, 2013 8:04 PM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: [Snort-devel] preprocessor drop packets issues


Hi all,

         I'm currently writing a Snort preprocessor, which tries to drop some
packets before it goes to the detection engine and triggers any rules. I tried function Active_DropPacket(); but it doesn't work.

         I attached my code here, for test purpose, this code just drop all the HTTP packets. I could see output "Got a packet", which means this preprocessor was called. But it did not drop any HTTP packet. Was I using a wrong function to drop the packet? Any comment is appreciate.

static void Detection(Packet *p, void *context)
{

    TestConfig *entropy = NULL;

    LogMessage("Got a packet\n");
    sfPolicyUserPolicySet (entropy_config, getRuntimePolicy());
    entropy = (EntropyConfig *)sfPolicyUserDataGetCurrent(entropy_config);

    /* Not configured in this policy */
    if (entropy == NULL)
        return;

    if(p->sp == 80)
    {
            Active_DropPacket();
            //Active_ForceDropPacket();
            //Active_ForceDropAction(p);
            //Active_ForceDropSession();
    }
    return;
}

--
Thanks
Han

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131210/75ceb787/attachment.html>


More information about the Snort-devel mailing list