Home page logo
/

snort logo Snort mailing list archives

Re: preprocessor drop packets issues
From: Han Zhang <zhanghan0116 () gmail com>
Date: Tue, 10 Dec 2013 12:29:29 -0700

Hi Ed,

    Thank you for your reply.

    You are right, I need to run Snort in inline mode. Besides that, there
are two related functions I need to call, DisableAllDetect()
and Active_DropPacket().

    Function Active_DropPacket is used to drop the packets. When snort runs
as inline mode, the packets that are not dropped can be stored in the file
specified by "--daq-var file" from the command line.
    Function DisableAllDetect is used to disable the other detectors in
preprocessor as well as the rules in detection engine. If I don't use this
function, the dropped packets in preprocessor still go to the detection
engine and trigger the alerts, which is not I want to see.

    Finally, I solved the problem by calling these two functions

    Tons of thanks for your help.

Han




On Tue, Dec 10, 2013 at 12:03 PM, Ed Borgoyn (eborgoyn)
<eborgoyn () cisco com>wrote:

 Hello Han,
  Are you sure the Active_DropPacket() is being called?  Can you see this
via a LogMessage() or perhaps the debugger?

   Are you configured to be in INLINE mode?  This is necessary to permit
Snort to drop packets.

  Is all traffic being forwarded and you are not seeing the port==80
packets dropped?  Is this your observation?

     Ed


  From: Han Zhang <zhanghan0116 () gmail com>
Date: Friday, December 6, 2013 8:04 PM
To: "snort-devel () lists sourceforge net" <snort-devel () lists sourceforge net

Subject: [Snort-devel] preprocessor drop packets issues


 Hi all,

          I'm currently writing a Snort preprocessor, which tries to drop
some
packets before it goes to the detection engine and triggers any rules. I
tried function Active_DropPacket(); but it doesn't work.

         I attached my code here, for test purpose, this code just drop
all the HTTP packets. I could see output "Got a packet", which means this
preprocessor was called. But it did not drop any HTTP packet. Was I using a
wrong function to drop the packet? Any comment is appreciate.

 static void Detection(Packet *p, void *context)
{

    TestConfig *entropy = NULL;

     LogMessage("Got a packet\n");
    sfPolicyUserPolicySet (entropy_config, getRuntimePolicy());
    entropy = (EntropyConfig *)sfPolicyUserDataGetCurrent(entropy_config);

     /* Not configured in this policy */
    if (entropy == NULL)
        return;

     if(p->sp == 80)
    {
            Active_DropPacket();
            //Active_ForceDropPacket();
            //Active_ForceDropAction(p);
            //Active_ForceDropSession();
    }
    return;
}

 --
Thanks
Han




-- 
Thanks
Han
------------------------------------------------------------
Department of Computer Science
Colorado State University
Fort Collins, CO, USA
------------------------------------------------------------
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]