[Snort-users] packet modifications not working

eboehnlein at ...661... eboehnlein at ...661...
Thu Jun 2 07:36:31 EDT 2005

Problem:  snort_inline modified packets are not being forwarded, instead it appears the original unaltered packet is being forwarded.  Also, dropped packets rules when triggered make either snort_inline and/or the sending workstation hang.
Running Suse linux 9.0 (i586) - Kernel 2.4.30       
with  patch ebtables-brnf-9_vs_2.4.30.diff
--- snort NID with the above configuration  works this point:  rules are triggered and events are logged --- then include the following ---
      bridge script to define bridge [eth1+eth2]=br0
              ## clear iptables
              ## turn forwrding off
                 $ECHO 0 > /proc/sys/net/ipv4/ip_forward
      The ip queue module is loaded by executing:
  insmod ip_queue
Start snort 
  >snort_inline -v -Q -c /etc/snort_inline/snort_inline.conf
--- at this point snort inline is active  and traffic is passing through bridge both direcitons --alerts are logged -- replace and drop not working but actions are logged ++
Snort Rules Are defined to trigger on a HTTP query from a network:
      + Alert when any HTTP traffic is sent from workstation segment -- successfully alerts and logs.
      + Alert and replace content when a specific word is being used -- successfully alerts and logs.
Symptoms: [Verified using traces and dumps]
     + all unaltered traffic flows both ways over the bridge
     + snort_inline alert rules are triggered and logged - (using content rules)
     + snort_inline alert/replace rules are triggered and logged; however, it appears the it is the original(unaltered) packet that being forwarded. 
I suspect that snort_inline (via libnet) is not handling the modified packet correctly. I have recompiled and reconfigured the kernel and all the software several times with no apparent errors being generated.
Any thoughts how to proceed from here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050602/be06540f/attachment.html>

More information about the Snort-users mailing list