[Snort-users] Snort IPS with one NIC revisited

Maxim hittlle at ...7427...
Thu Nov 24 03:07:34 EST 2016

Hi snort experts,
I come across a weird problem and need your help. I write the following rule to capture the bidirectional packets of the same session if the attacker trigger this rule
             alert tcp any any -> any 80 (msg:"bidirectional-packet-test";sid:10000001; rev:1; content:"test";http_uri; classtype: web-application-attack; flowbits: isnotset,foo;flowbits: set,foo;tag:session,exclusive;)
The purpose of this rule if to capture both the HTTP request and corresponding HTTP response packets. I launch snort as follows
              snort -c /etc/snort/snort.conf -D 
after that, I use postman to simulate a request to my target, then I checked snort.log, and I can see both the request and response packets as expected. Then I use postman to send the same 
HTTP request again, this time, I only see the request packet, but cannot find the response packet. Weird. Am I missing anything? Thanks.

At 2016-10-29 22:11:37, "Dave Corsello" <snort-users at ...15598...> wrote:

Many thanks, James.  I'll try this as soon as I'm able.

On 10/28/2016 4:44 PM, James Lay wrote:

Here we go!!!

Prereqs:  libdnet-1.12, daq configured with nfq (make sure you see "Build NFQ DAQ module....... : yes" at the end of your config run), snort installed somewhere (./configure --enable-sourcefire --enable-non-ether-decoders).

drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic"; sid:1000000; rev:1;)
drop icmp any any -> any any (msg:"ICMP"; sid:1000001; rev:1;)

Firewall script (safe to test if you're remotely ssh'd into a box like I was :) ):

$IPTABLES -F -t raw
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -F -t filter
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
$IPTABLES -t mangle -A OUTPUT -p icmp -j NFQUEUE --queue-num 1

Snort command (adjust as needed):
sudo /opt/snort/bin/snort -Q -A console --daq nfq --daq-var device=enp0s10 --daq-var queue=1 -c /opt/snort/etc/snort.conf -k none

my snort.conf was just about stock from the tarball save a couple path tweaks...I literally changed nothing else.  Screenshot showing workie:


The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161124/e392a500/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Type: image/jpeg
Size: 87022 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161124/e392a500/attachment.jpe>

More information about the Snort-users mailing list