[Snort-users] UDP packet supposedly DROPped, but seen by snort anyway

Jan Ploski jpljpl at ...348...
Thu Oct 24 09:42:12 EDT 2002


On Thu, Oct 24, 2002 at 11:23:35AM -0500, Matt Yackley wrote:
> Jan, it sounds like you are running Snort on the iptables box, AFAIK libpcap
> grabs the packet when it hits the NIC, iptables is rejecting the packet but
> that happens at a higher level than libpcap & snort work at.  
> Others here will expand more but my guess as to why the TCP is not picked up
> by snort is due to the way the rules are written and the way TCP connections
> are handled.  Most rules for TCP type connections will require a 3way
> handshake to be completed before something like a cmd.exe attempt is sent.
> If this type of connection is blocked at the start it never gets to the
> point of sending a packet that triggers the rule.  This UDP rule will
> trigger with the first packet sent since it does not need a 3 way handshake
> to be completed.
> 
> Anyway, that is my quick stab at this, everyone else please feel free to
> correct me where I am wrong :)

Matt,

you are entirely correct, and I have also received similiar suggestions
from other people on this list via private email (thanks again!).
The TCP SYN packet used to establish a connection indeed makes it
through to snort, much like the UDP packet. Too bad I did not check
this before posting... :-(

As someone else suggested: "write a pass rule for it or you can
use a bpf filter (not udp port 161) to ignore the traffic". This is
indeed a good solution, as I know that port 161 is closed on the
monitored box.

Best regards -
Jan Ploski





More information about the Snort-users mailing list