[Snort-users] snort does not sent reset in freebsd/ipfw inline mode

Rajkumar S rajkumars at ...11827...
Fri Feb 4 02:29:56 EST 2011


On Sat, Jan 29, 2011 at 3:08 AM, Russ Combs <rcombs at ...1935...> wrote:
>
> Are you sure the packets are not being blocked?  The first block on a
> session is counted as blacklist.

Yes, with snort running as inline and DAQ listening on an IPFW divert
socket, the packets are not being blocked. (I am using an HTTP and
with snort running and rules being matched, browser is showing the
page)

> Have you tried using the dump DAQ?  Blocked / blacklisted packets won't
> appear in the output pcap.  Resets will appear in the output pcap.

I tested with dump after your email and it works fine using  dump DAQ
with output pcap showing reset packets.

Here is the detailed test results:

I have uploaded my  snort.conf at http://pastebin.com/gg1hx3J4


IPFW:
snort --daq ipfw --daq-var port=8100 -Q -c snort.conf

Packet capture coming in to the server:  http://pastebin.com/fpudZ3iq
Packet capture going out from server:  http://pastebin.com/0FF94G5r

Packet I/O Totals:
   Received:            7
   Analyzed:            7 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           12

Action Stats:
     Alerts:            7 (100.000%)
     Logged:            7 (100.000%)
     Passed:            0 (  0.000%)
Match Limit:            0
Queue Limit:            0
  Log Limit:            0
Event Limit:            0
Verdicts:
      Allow:            0 (  0.000%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            7 (100.000%)
     Ignore:            0 (  0.000%)


Dump:
snort --daq dump --daq-var load-mode=read-file -r
/root/snort-pcap/replay.pcap -Q -c snort.conf

Packet capture coming in:  http://pastebin.com/Vx90iRFM
Packet capture going out:  http://pastebin.com/0dTNmBpg

Packet I/O Totals:
   Received:           10
   Analyzed:           10 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           10

Action Stats:
     Alerts:            5 ( 50.000%)
     Logged:            5 ( 50.000%)
     Passed:            0 (  0.000%)
Match Limit:            0
Queue Limit:            0
  Log Limit:            0
Event Limit:            0
Verdicts:
      Allow:            0 (  0.000%)
      Block:            5 ( 50.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            5 ( 50.000%)
     Ignore:            0 (  0.000%)

One difference I can see is that there are 5 Blocked packets in dump,
but IPFW does not show any dropped packets, but both commands show
blacklisted packets.

Do let me know if any further details are needed from my side,

with regards,

raj




More information about the Snort-users mailing list