Snort mailing list archives

Previous By Date Next
Previous By Thread Next

packet modifications not working

From: eboehnlein () aol com
Date: Tue, 31 May 2005 10:56:24 -0400
Problem:  snort_inline modified packets are not being forwarded, instead it appears the original unaltered packet is 
being forwarded.  Also, dropped packets rules when triggered make either snort_inline and/or the sending workstation 
hang.
 
Background:
Running Suse linux 9.0 (i586) - Kernel 2.4.30       
with  patch ebtables-brnf-9_vs_2.4.30.diff
      iptables-1.2.8
      libpcap-0.8.3 
      pcre-5.0
      libnet-1.0.2a 
      snort-2.3.3
--- snort NID with the above configuration  works this point:  rules are triggered and events are logged --- then 
include the following ---
 
      iptables-1.3.1 
      bridge-utils-1.0.4 
      snort_inline-2.3.0-RC1
      bridge script to define bridge [eth1+eth2]=br0
              ## clear iptables
   $IPTABLES -F
   $IPTABLES -A FORWARD -j QUEUE
              ## turn forwrding off
                 $ECHO 0 > /proc/sys/net/ipv4/ip_forward
      The ip queue module is loaded by executing:
  insmod ip_queue
      
Start snort 
  >snort_inline -v -Q -c /etc/snort_inline/snort_inline.conf
 
--- at this point snort inline is active  and traffic is passing through bridge both direcitons --alerts are logged -- 
replace and drop not working but actions are logged ++
-----------------------------------------------------
Snort Rules Are defined to trigger on a HTTP query from a network:
      + Alert when any HTTP traffic is sent from workstation segment -- successfully alerts and logs.
      + Alert and replace content when a specific word is being used -- successfully alerts and logs.
     
Symptoms: [Verified using traces and dumps]
     + all unaltered traffic flows both ways over the bridge
     + snort_inline alert rules are triggered and logged - (using content rules)
     + snort_inline alert/replace rules are triggered and logged; however, it appears the it is the original(unaltered) 
packet that being forwarded. 
 
I suspect that snort_inline (via libnet) is not handling the modified packet correctly. I have recompiled and 
reconfigured the kernel and all the software several times with no apparent errors being generated.
Any thoughts how to proceed from here?
 
Ed
Previous By Date Next
Previous By Thread Next

Current thread: