[Snort-users] Help requested. Can't auto-convert "alert" to "drop" (i.e., for snort-inline rules).

FName Lame peabody007 at ...131...
Sat Sep 20 22:24:11 EDT 2008


To Any Snort Guru:

I
am currently EXTREMELY  BAFFLED.  I am using snort 2.8 in inline mode
and updating with oinkmaster 2.0.  If I update via oinkmaster WITHOUT
specifying {modifysid * “^alert” | “drop”} within the oinkmaster.conf
file,  the rules get updated and everything works.  If I  insert some
simple drop rules for testing after the oinkmaster update, my “test”
drop rules correctly drop and log dropped packets.  If I test the
updated alerts by restarting in non-inline mode, they work as well.

STRANGELY, if I
update via oinkmaster and DO specify {modifysid * “^alert” | “drop”}
within the .conf file, oinkmaster “seems” to work (i.e., updates appear
to have been made correctly, “alert” rules are all converted to “drop”
rules, snort inline starts without errors,  snort output lists rules as
being correctly read, etc.), however, when I insert some simple drop
rules testing, my “test” drop rules do not work, nor do any of the
converted drop rules that had worked prior as alerts.  At least the
“test” drop rules SHOULD work (but do not), since they work when I
update without converting alerts to drops.  This would seem impossible,
but it IS occurring.  I always restart snort after rules modifications
to flush rules from memory and am only using dowloaded snort rules
(i.e. other than some extremely simple "test" drop rules that DO work
when I haven't converted "alert" rules to "drop").  

I understand
that if I had "alert" rules similar to my test "drop" rules, then my
test "drop" rules might not get triggered and logged (i.e., as a
consequence of already being dropped by other rules that were prior
only "alerts").  However, in that scenario, even though the test
"drops" wouldn't show as triggered in the logs, the packets would still
get dropped, due to other "drop" rules.  This isn't what is happening,
since none of my packets are getting dropped once I convert "alerts" to
"drops".  Again, extremely baffling!

There must be a way to run snort-inline with automatic alert/drop conversions on updates, but I have not been able to to it.

Any feedback would be GREATLY APPRECIATED!

Peabody


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080920/925fdc1b/attachment.html>


More information about the Snort-users mailing list