[Snort-users] Snort 2.9.6.2 inline mode problem

Debason Shockre demonsdebason at ...11827...
Sat Aug 23 23:02:13 EDT 2014


Hi all.
I've been working on my Snort IPS for some time now.
Noticed that 'drop' rules are working half-way, I have set the test rule to
drop ICMP coming to the sensor from local machine:
drop icmp 192.168.1.2 any -> 192.168.1.1 any (msg: "Test rule"; sid:110011;)

Alerts get logged and can view them via BASE, but when I ping from .2 to .1
I get this:
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1

: icmp_seq=1 ttl=64 time=0.216 ms
>From 192.168.1.1 icmp_seq=1 Destination Port Unreachable
64 bytes from 192.168.1.1

: icmp_seq=2 ttl=64 time=0.269 ms
>From 192.168.1.1 icmp_seq=2 Destination Port Unreachable
64 bytes from 192.168.1.1

: icmp_seq=3 ttl=64 time=0.221 ms

So some of them are getting 'blocked'.

When I shutdown Snort I's all fine:
64 bytes from 192.168.1.1

: icmp_seq=8 ttl=64 time=0.226 ms
64 bytes from 192.168.1.1

: icmp_seq=9 ttl=64 time=0.201 ms
64 bytes from 192.168.1.1

: icmp_seq=10 ttl=64 time=0.253 ms
64 bytes from 192.168.1.1

: icmp_seq=11 ttl=64 time=0.204 ms

Here is my info:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.2 GRE (Build 77)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights
reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3
+++++++++++++++++++++++++++
snort    41104  4.6  2.0 1675528 1342832 ?     Ssl  04:48   0:00
/usr/sbin/snort -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf
-Q --daq-mode inline -k none
+++++++++++++++++++++++++++
snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

++++++++++++++++++++++++++
snort.conf:

config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline
config daq_var: buffer_size_mb=1024


I've tried dropping all the ICMPs in the iptables, results are as expected,
but Snort still logs the alerts.
Do you have any idea what is the issue here?

-- 
Aut viam inveniam aut faciam
:wq!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140824/9033c65f/attachment.html>


More information about the Snort-users mailing list