[Snort-users] packet modifications not working

eboehnlein at ...661... eboehnlein at ...661...
Thu Jun 2 07:36:31 EDT 2005


Problem:  snort_inline modified packets are not being forwarded, instead it appears the original unaltered packet is being forwarded.  Also, dropped packets rules when triggered make either snort_inline and/or the sending workstation hang.
 
Background:
Running Suse linux 9.0 (i586) - Kernel 2.4.30       
with  patch ebtables-brnf-9_vs_2.4.30.diff
      iptables-1.2.8
      libpcap-0.8.3 
      pcre-5.0
      libnet-1.0.2a 
      snort-2.3.3
--- snort NID with the above configuration  works this point:  rules are triggered and events are logged --- then include the following ---
 
      iptables-1.3.1 
      bridge-utils-1.0.4 
      snort_inline-2.3.0-RC1
      bridge script to define bridge [eth1+eth2]=br0
              ## clear iptables
   $IPTABLES -F
   $IPTABLES -A FORWARD -j QUEUE
              ## turn forwrding off
                 $ECHO 0 > /proc/sys/net/ipv4/ip_forward
      The ip queue module is loaded by executing:
  insmod ip_queue
      
Start snort 
  >snort_inline -v -Q -c /etc/snort_inline/snort_inline.conf
 
--- at this point snort inline is active  and traffic is passing through bridge both direcitons --alerts are logged -- replace and drop not working but actions are logged ++
-----------------------------------------------------
Snort Rules Are defined to trigger on a HTTP query from a network:
      + Alert when any HTTP traffic is sent from workstation segment -- successfully alerts and logs.
      + Alert and replace content when a specific word is being used -- successfully alerts and logs.
     
Symptoms: [Verified using traces and dumps]
     + all unaltered traffic flows both ways over the bridge
     + snort_inline alert rules are triggered and logged - (using content rules)
     + snort_inline alert/replace rules are triggered and logged; however, it appears the it is the original(unaltered) packet that being forwarded. 
 
I suspect that snort_inline (via libnet) is not handling the modified packet correctly. I have recompiled and reconfigured the kernel and all the software several times with no apparent errors being generated.
Any thoughts how to proceed from here?
 
Ed
           
                
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050602/be06540f/attachment.html>


More information about the Snort-users mailing list