[Snort-users] More problems with packet normalization

C. L. Martinez carlopmart at gmail.com
Sun Dec 31 03:21:36 EST 2017


Hi all,

 As I have described in a previous email, I have installed Snort 2.9.9.0p0 in an OpenBSD 6.2 host. After resolve how to apply packet normalization policy in snort.conf, I have another problem: all downloads are stalled randomly.

 My startup flags for snort are: -D -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log --pid-path /log --no-interface-pidfile --nolock-pidfile -Q

 DaQ config is:

config policy_mode: inline
config daq: ipfw
config daq_dir: /usr/local/lib/daq/
config daq_mode: inline
config daq_var: port=9000

 Packet normalization policy:

preprocessor normalize_ip4
preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
preprocessor normalize_icmp4
preprocessor normalize_ip6
preprocessor normalize_icmp6

 OpenBSD's pf config for divert sockets is:

pass out quick inet proto tcp all flags S/SA keep state (if-bound) scrub (reassemble tcp) tagged intlans-to-inet divert-packet port 9000
pass out quick inet proto icmp all keep state (if-bound) scrub (reassemble tcp) tagged intlans-to-inet divert-packet port 9000
pass out quick inet proto udp all keep state (if-bound) scrub (reassemble tcp) tagged intlans-to-inet divert-packet port 9000

 Snort is installed from OpenBSD's ports. Do I need to modify some option in normalization or stream5 policy?? (Stream5's policy is the default)

Thanks.

-- 
Greetings,
C. L. Martinez


More information about the Snort-users mailing list