[Snort-users] packet modifications not working

Will Metcalf william.metcalf at ...11827...
Thu Jun 2 08:34:59 EDT 2005


I posted a response to your question on the bleeding-snort forums.

Regards,

Will

On 5/31/05, eboehnlein at ...661... <eboehnlein at ...661...> wrote:
> 
> Problem:  snort_inline modified packets are not being forwarded, instead it
> appears the original unaltered packet is being forwarded.  Also, dropped
> packets rules when triggered make either snort_inline and/or the sending
> workstation hang.
>  
> Background:
> Running Suse linux 9.0 (i586) - Kernel 2.4.30       
> with  patch ebtables-brnf-9_vs_2.4.30.diff
>       iptables-1.2.8
>       libpcap-0.8.3 
>       pcre-5.0
>       libnet-1.0.2a 
>       snort-2.3.3
> --- snort NID with the above configuration  works this point:  rules are
> triggered and events are logged --- then include the following ---
>  
>       iptables-1.3.1 
>       bridge-utils-1.0.4 
>       snort_inline-2.3.0-RC1
>       bridge script to define bridge [eth1+eth2]=br0
>               ## clear iptables
>    $IPTABLES -F
>    $IPTABLES -A FORWARD -j QUEUE
>               ## turn forwrding off
>                  $ECHO 0 > /proc/sys/net/ipv4/ip_forward
>       The ip queue module is loaded by executing:
>   insmod ip_queue
>       
> Start snort 
>   >snort_inline -v -Q -c
> /etc/snort_inline/snort_inline.conf
>  
> --- at this point snort inline is active  and traffic is passing through
> bridge both direcitons --alerts are logged -- replace and drop not working
> but actions are logged ++
> -----------------------------------------------------
> Snort Rules Are defined to trigger on a HTTP query from a network:
>       + Alert when any HTTP traffic is sent from workstation segment --
> successfully alerts and logs.
>       + Alert and replace content when a specific word is being used --
> successfully alerts and logs.
>      
> Symptoms: [Verified using traces and dumps]
>      + all unaltered traffic flows both ways over the bridge
>      + snort_inline alert rules are triggered and logged - (using content
> rules)
>      + snort_inline alert/replace rules are triggered and logged; however,
> it appears the it is the original(unaltered) packet that being forwarded. 
>  
> I suspect that snort_inline (via libnet) is not handling the modified packet
> correctly. I have recompiled and reconfigured the kernel and all the
> software several times with no apparent errors being generated.
> Any thoughts how to proceed from here?
>  
> Ed
>            
>                 
>




More information about the Snort-users mailing list