Re: [Snort-inline-users] Blocking Anomalous Events

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I'm sorry, I knew that the preprocessors didn't block packets, I just
> didn't realize that the config variables were considered preprocessors
> (such as)
> 
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_ttcp_alerts
> etc.
> 
> What would it take to make these drop packets?  Would it be a lot of work?

It depends on your knowledge of snort.  This is basically what you have to 
do to make a preproc drop.

1.  find the source file you want to modify.
2.  include inline.h.
3.  find the location where the preproc identifies what you want to drop.
4.  add one of the following function calls depending on what you want to 
do:
   a.  InlineDrop();           <-- this drops the packet and logs
   b.  InlineReject(Packet *); <-- this drops the packet; sends a reset; 
and logs.
5.  recompile source:
   a.  make clean
   b.  make
   c.  make install

6.  If everything works as planned?  Send patch to rv...@ca... 
or to this mail list so it can be considered for inclusion into 
snort_inline.

7.  (optional) consider making the preproc you modified accept an argument 
so it does what you just modified above as well as act as it was 
originally intended to work.  For example:
    a.  (regular operation) : preprocessor portscan2: scanners_max 256, 
targets_max 1024, target_limit 5, port_limit 20, timeout 60 
    b.  (lets drop): preprocessor portscan2: scanners_max 256, targets_max 
1024, target_limit 5, port_limit 20, timeout 60, drop
    c.  (lets reject): preprocessor portscan2: scanners_max 256, 
targets_max 1024, target_limit 5, port_limit 20, timeout 60 reject

This would make it much easier to integrate into the snort source.  Also, 
I surround all modifications to the original snort source with 

#ifdef GIDS
    modifications
#endif

Again, this will make it easier in the future to integrate with the snort 
source tree.

As soon as I finish working on a project for the Honeynet project, I will 
update snort_inline to snort version 2.0.5, and I will include drop 
capability for portscan, protscan2, and arpspoof preprocs.  Please let me 
know if there are any preprocs which you guys think would be good 
additions.  Please consider possible false alarm rates because this would 
mean drops or rejects of packets every time such an event occurs.

Rob

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBP8fkfPnAyY+9KLjdEQIwuACePEQUJm8N6hobfMUl5wfCVQlzxMAAoMlq
YdhEj/iO3HYbIgbt01GvjTP+
=dY9t
-----END PGP SIGNATURE-----