Home page logo
/

snort logo Snort mailing list archives

Re: preprocessor drop packets issues
From: "Ed Borgoyn (eborgoyn)" <eborgoyn () cisco com>
Date: Tue, 10 Dec 2013 19:03:47 +0000

Hello Han,
  Are you sure the Active_DropPacket() is being called?  Can you see this via a LogMessage() or perhaps the debugger?

  Are you configured to be in INLINE mode?  This is necessary to permit Snort to drop packets.

 Is all traffic being forwarded and you are not seeing the port==80 packets dropped?  Is this your observation?

    Ed


From: Han Zhang <zhanghan0116 () gmail com<mailto:zhanghan0116 () gmail com>>
Date: Friday, December 6, 2013 8:04 PM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] preprocessor drop packets issues


Hi all,

         I'm currently writing a Snort preprocessor, which tries to drop some
packets before it goes to the detection engine and triggers any rules. I tried function Active_DropPacket(); but it 
doesn't work.

         I attached my code here, for test purpose, this code just drop all the HTTP packets. I could see output "Got a 
packet", which means this preprocessor was called. But it did not drop any HTTP packet. Was I using a wrong function to 
drop the packet? Any comment is appreciate.

static void Detection(Packet *p, void *context)
{

    TestConfig *entropy = NULL;

    LogMessage("Got a packet\n");
    sfPolicyUserPolicySet (entropy_config, getRuntimePolicy());
    entropy = (EntropyConfig *)sfPolicyUserDataGetCurrent(entropy_config);

    /* Not configured in this policy */
    if (entropy == NULL)
        return;

    if(p->sp == 80)
    {
            Active_DropPacket();
            //Active_ForceDropPacket();
            //Active_ForceDropAction(p);
            //Active_ForceDropSession();
    }
    return;
}

--
Thanks
Han

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]