Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort with daq inline mode problem

From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Tue, 3 Apr 2018 04:33:02 +0000
Tcp resets are not good for attempting to stop a session in progress, since you are essentially creating a race 
condition, hoping the RST gets to the machine in question before the ACK packet does.

Our stance has been, and will remain you use Snort in IPS mode and simply drop the connection.

--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com

On Mar 31, 2018, at 4:14 AM, pawelsw1 () o2 pl<mailto:pawelsw1 () o2 pl> wrote:

Hello,
I have problem with snort. I see in log that he is dropping connection but tcp reset is sending after the operation is 
completed (create or drop table in database). I have rule that is checking that table in database id drop or create.
Could You help me?

drop tcp any any -> any 3306 (msg:"Block SQL Command : CREATE TABLE"; flow:from_client,established; content: 
"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052203)
snort -c /etc/snort/snort.conf -Q  -i eth0:eth1 -A console

[ Number of patterns truncated to 20 bytes: 0 ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth0:eth1".
Reload thread starting...
Reload thread started, thread 0x7f393bb31700 (11945)

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.11.1 GRE (Build 268)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2017 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 8.32 2012-11-30
           Using ZLIB version: 1.2.7

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 3.0  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
Commencing packet processing (pid=11936)
Decoding Ethernet
03/30-22:13:04.167644  [Drop] [**] [1:65000004:0] Block SQL Command : DROP TABLE [**] [Priority: 0] {TCP} 
10.0.0.19:63496 -> 10.0.0.17:3306
03/30-22:13:04.167633  [Drop] [**] [1:65000004:0] Block SQL Command : DROP TABLE [**] [Priority: 0] {TCP} 
10.100.64.8:63496 -> 10.7.159.14:3306

[https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
      Wolny od wirusów. 
www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
<x-msg://20/#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: