[Snort-devel] preprocessor drop packets issues

Han Zhang zhanghan0116 at ...2499...
Tue Dec 10 14:29:29 EST 2013


Hi Ed,

    Thank you for your reply.

    You are right, I need to run Snort in inline mode. Besides that, there
are two related functions I need to call, DisableAllDetect()
and Active_DropPacket().

    Function Active_DropPacket is used to drop the packets. When snort runs
as inline mode, the packets that are not dropped can be stored in the file
specified by "--daq-var file" from the command line.
    Function DisableAllDetect is used to disable the other detectors in
preprocessor as well as the rules in detection engine. If I don't use this
function, the dropped packets in preprocessor still go to the detection
engine and trigger the alerts, which is not I want to see.

    Finally, I solved the problem by calling these two functions

    Tons of thanks for your help.

Han




On Tue, Dec 10, 2013 at 12:03 PM, Ed Borgoyn (eborgoyn)
<eborgoyn at ...3461...>wrote:

>  Hello Han,
>   Are you sure the Active_DropPacket() is being called?  Can you see this
> via a LogMessage() or perhaps the debugger?
>
>    Are you configured to be in INLINE mode?  This is necessary to permit
> Snort to drop packets.
>
>   Is all traffic being forwarded and you are not seeing the port==80
> packets dropped?  Is this your observation?
>
>      Ed
>
>
>   From: Han Zhang <zhanghan0116 at ...2499...>
> Date: Friday, December 6, 2013 8:04 PM
> To: "snort-devel at lists.sourceforge.net" <snort-devel at lists.sourceforge.net
> >
> Subject: [Snort-devel] preprocessor drop packets issues
>
>
>  Hi all,
>
>           I'm currently writing a Snort preprocessor, which tries to drop
> some
> packets before it goes to the detection engine and triggers any rules. I
> tried function Active_DropPacket(); but it doesn't work.
>
>          I attached my code here, for test purpose, this code just drop
> all the HTTP packets. I could see output "Got a packet", which means this
> preprocessor was called. But it did not drop any HTTP packet. Was I using a
> wrong function to drop the packet? Any comment is appreciate.
>
>  static void Detection(Packet *p, void *context)
> {
>
>     TestConfig *entropy = NULL;
>
>      LogMessage("Got a packet\n");
>     sfPolicyUserPolicySet (entropy_config, getRuntimePolicy());
>     entropy = (EntropyConfig *)sfPolicyUserDataGetCurrent(entropy_config);
>
>      /* Not configured in this policy */
>     if (entropy == NULL)
>         return;
>
>      if(p->sp == 80)
>     {
>             Active_DropPacket();
>             //Active_ForceDropPacket();
>             //Active_ForceDropAction(p);
>             //Active_ForceDropSession();
>     }
>     return;
> }
>
>  --
> Thanks
> Han
>
>


-- 
Thanks
Han
------------------------------------------------------------
Department of Computer Science
Colorado State University
Fort Collins, CO, USA
------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131210/8bdc4c4c/attachment.html>


More information about the Snort-devel mailing list