[Snort-users] Snort inline mode problem

Y M snort at ...15979...
Sun Aug 24 01:34:03 EDT 2014

Date: Sun, 24 Aug 2014 05:02:13 +0200
From: demonsdebason at ...11827...
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort inline mode problem

Hi all.
I've been working on my Snort IPS for some time now. 
Noticed that 'drop' rules are working half-way, I have set the test rule to drop ICMP coming to the sensor from local machine:

drop icmp any -> any (msg: "Test rule"; sid:110011;)

Alerts get logged and can view them via BASE, but when I ping from .2 to .1 I get this:
PING ( 56(84) bytes of data.

64 bytes from : icmp_seq=1 ttl=64 time=0.216 ms
>From icmp_seq=1 Destination Port Unreachable

64 bytes from : icmp_seq=2 ttl=64 time=0.269 ms

>From icmp_seq=2 Destination Port Unreachable
64 bytes from : icmp_seq=3 ttl=64 time=0.221 ms

So some of them are getting 'blocked'.

When I shutdown Snort I's all fine:
64 bytes from : icmp_seq=8 ttl=64 time=0.226 ms
64 bytes from
 : icmp_seq=9 ttl=64 time=0.201 ms

64 bytes from : icmp_seq=10 ttl=64 time=0.253 ms
64 bytes from
 : icmp_seq=11 ttl=64 time=0.204 ms

Here is my info:

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 77) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05

           Using ZLIB version: 1.2.3
 41104  4.6  2.0 1675528 1342832 ?     Ssl  04:48   0:00 /usr/sbin/snort
 -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf -Q 
--daq-mode inline -k none

# Looks like you have double colons "eth1::eth2", as opposed to one colon "eth1:eth2". Not sure if the double colons are causing the partial drops.

snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline

config daq_var: buffer_size_mb=1024

I've tried dropping all the ICMPs in the iptables, results are as expected, but Snort still logs the alerts.
Do you have any idea what is the issue here?
# Does Snort log the requests or replies or both? I would image if the NIC is promiscuous, then it would still see the requests. 

Aut viam inveniam aut faciam

Slashdot TV.  
Video for Nerds.  Stuff that matters.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140824/c6a64cb9/attachment.html>

More information about the Snort-users mailing list