[Snort-users] FreeBSD, snort does not block packets in inline mode

Dmitry z1nkum at ...11827...
Mon Oct 22 04:22:05 EDT 2012


Hello,

FreeBSD 9.0-RELEASE #0
snort-2.9.3.1
daq-1.1.1

Similar to http://seclists.org/snort/2011/q1/237 - Snort in inline mode 
works "strange": it always log to alert, but packets are not blocked


ipfw divert:

divert 8100 tcp from any to any dst-port 80 in recv em0

Snort cmd:

snort -vQ -d -c /usr/local/etc/snort/snort.conf --daq ipfw --daq-var 
port=8100  -i em0 port 80

[em0] - interface to home net

Test rules:

drop tcp any any -> any 80 (msg:"test site req blocked 1"; 
content:"Host: ya.ru"; resp:rst_all; sid:112227; rev:1;)
drop tcp any any -> any 80 (msg:"test site req blocked 2"; 
content:"Host: ya.ru"; react:msg; sid:112228; rev:1;)

Alert logs:

[**] [1:112228:1] test site req blocked 2 [**]
[Priority: 0]
10/22-00:24:50.662505 x.170.99.178:3764 -> 93.158.134.3:80
TCP TTL:128 TOS:0x0 ID:57352 IpLen:20 DgmLen:396 DF
***AP*** Seq: 0x523F13F1  Ack: 0x69D405E0  Win: 0xFC00  TcpLen: 20

[**] [1:112227:1] test site req blocked 1 [**]
[Priority: 0]
10/22-00:24:50.662505 x.170.99.178:3764 -> 93.158.134.3:80
TCP TTL:128 TOS:0x0 ID:57352 IpLen:20 DgmLen:396 DF
***AP*** Seq: 0x523F13F1  Ack: 0x69D405E0  Win: 0xFC00  TcpLen: 20


Verbose log:
http://pastebin.com/dAmE4E8K

Config:
http://pastebin.com/Y2tEZiaJ

And on both interfaces I cant see any RST packets:

# tcpdump -ln -i em0 port 80 and 'tcp[13] & 4!=0'
# tcpdump -ln -i em1 port 80 and 'tcp[13] & 4!=0'


And no react page goin back to client (I've tried just react rule, 
without resp:rst_all)

At the same time, if I use not inline mode, I see react page in ~50% of 
cases ( as I understand, depends on whose package will arrive soon)











More information about the Snort-users mailing list