Re: [Snort-inline-users] Having problem with tcp packets filtering

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

You are only giving snort_inline one side of the connection, the return
SYN/ACK from the server.  You probably just need to configure the state
tracking correctly, see the README files for this.

> Hi Everybody,
>
> I'm getting a problem with filtering tcp packets through snort_inline.
>
> snort_inline is working properly and I can drop and replace actions
> are working properly on icmp packets, for icmp packets I have put an
> iptables rule,
>
> iptables -A INPUT -p icmp -d 192.168.1.11/32 -j QUEUE
>
> I have given same iptables rule for tcp packet,
>
> iptables -A INPUT -p tcp --sport 80 -d 192.168.1.11/32 -j QUEUE
>
> and I have also added an alert rule in local.rules file,
>
> alert tcp any 80 -> 192.168.1.11/32 any (msg:"HTTP Protocol Active";)
>
> and I am giving a command,
>
> snort_inline -Qdvc /etc/snort_inline.conf -l /var/log/snort
>
> as per given 'd' and 'v' options i got output on console as below for
> tcp packets,
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/20-16:04:57.988479 66.102.9.104:80 -> 192.168.11.5:32854
> TCP TTL:62 TOS:0x0 ID:39096 IpLen:20 DgmLen:64 DF
> ***A**S* Seq: 0x636D1F89  Ack: 0xED7F232A  Win: 0x4470  TcpLen: 44
> TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS:
> 277264730 2389497
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/20-16:04:58.648405 66.102.9.104:80 -> 192.168.11.5:32853
> TCP TTL:62 TOS:0x0 ID:43192 IpLen:20 DgmLen:64 DF
> ***A**S* Seq: 0x3A3C271A  Ack: 0xE8ACA1CA  Win: 0x4470  TcpLen: 44
> TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS:
> 277264796 2384757
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 10/20-16:05:03.975030 66.102.9.104:80 -> 192.168.11.5:32854
> TCP TTL:62 TOS:0x0 ID:45496 IpLen:20 DgmLen:64 DF
> ***A**S* Seq: 0x636D1F89  Ack: 0xED7F232A  Win: 0x4470  TcpLen: 44
> TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP TS:
> 277265328 2390697
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
> Here we can see that SYN and ACK flag enabled tcp packets are coming
> into picture, I can't find other than those packrts.
>
>
> Please tell me where i am wrong?
>
> Thanks in Advance.
>
> --
> Yogdutt Sonivadia
> Apropos Infotech Pvt. Ltd.
> Bangalore,
> India
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out
> more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>