[Snort-users] packet modifications not working

Joel Esler eslerj at ...11827...
Thu Jun 2 07:46:22 EDT 2005


you may want to take this over to the snort_inline list.  They may be
able to answer your question more accurately.

Joel

On 5/31/05, eboehnlein at ...661... <eboehnlein at ...661...> wrote:
> 
> Problem:  snort_inline modified packets are not being forwarded, instead it
> appears the original unaltered packet is being forwarded.  Also, dropped
> packets rules when triggered make either snort_inline and/or the sending
> workstation hang. 
>   
> Background: 
> Running Suse linux 9.0 (i586) - Kernel 2.4.30       
> with  patch ebtables-brnf-9_vs_2.4.30.diff
>       iptables-1.2.8
>       libpcap-0.8.3 
>       pcre-5.0
>       libnet-1.0.2a 
>       snort-2.3.3 
> --- snort NID with the above configuration  works this point:  rules are
> triggered and events are logged --- then include the following --- 
>   
>       iptables-1.3.1 
>       bridge-utils-1.0.4 
>       snort_inline-2.3.0-RC1
>       bridge script to define bridge [eth1+eth2]=br0
>               ## clear iptables
>    $IPTABLES -F
>    $IPTABLES -A FORWARD -j QUEUE 
>               ## turn forwrding off
>                  $ECHO 0 > /proc/sys/net/ipv4/ip_forward 
>       The ip queue module is loaded by executing:
>   insmod ip_queue
>       
> Start snort 
>   >snort_inline -v -Q -c
> /etc/snort_inline/snort_inline.conf 
>   
> --- at this point snort inline is active  and traffic is passing through
> bridge both direcitons --alerts are logged -- replace and drop not working
> but actions are logged ++ 
> ----------------------------------------------------- 
> Snort Rules Are defined to trigger on a HTTP query from a network:
>       + Alert when any HTTP traffic is sent from workstation segment --
> successfully alerts and logs.
>       + Alert and replace content when a specific word is being used --
> successfully alerts and logs.
>      
> Symptoms: [Verified using traces and dumps]
>      + all unaltered traffic flows both ways over the bridge
>      + snort_inline alert rules are triggered and logged - (using content
> rules)
>      + snort_inline alert/replace rules are triggered and logged; however,
> it appears the it is the original(unaltered) packet that being forwarded. 
>   
> I suspect that snort_inline (via libnet) is not handling the modified packet
> correctly. I have recompiled and reconfigured the kernel and all the
> software several times with no apparent errors being generated. 
> Any thoughts how to proceed from here? 
>   
> Ed
>            
>                 
>  


-- 
Joel Esler
BASE Project Lead
http://sourceforge.net/projects/secureideas




More information about the Snort-users mailing list