IPS mode of snort3 is not dropping traffic

I have snort3 running on my router configured in IPS mode. Based on a post by @xxxx in this thread, I wanted to see that the setup was actually blocking rule hits.

My test was to create the following rule and then simply run ping www.google.com.

alert icmp any any <> any any (msg:"TEST ALERT"; icode:0; itype:8; sid:10000010; rev:001;)

I expected the ping traffic to timeout but it did not. Snort did record it in the log so I believe that the rule is valid. Why is snort not blocking this traffic?

Note - I tried both 'drop' and 'reject' for the action_override and neither gave the desired effect of stopping the ping traffic.

For reference, here are my config files:

/etc/snort/snort
config snort 'snort'
	option config_dir '/etc/snort/'
	option interface 'eth0:eth1'
/etc/snort/homenet.lua
HOME_NET = [[ 10.9.8.0/24 10.9.7.0/24 10.9.6.0/24 10.9.5.0/24 ]]
/etc/snort/local.lua
snort = {}
snort["-Q"] = true

ips = {
  mode = inline,
  variables = default_variables,
  action_override = 'drop',
  --action_override = 'reject',
  include = RULE_PATH .. '/snort.rules',
}

daq = {
  module_dirs = {
    '/usr/lib/daq',
  },
  modules = {
    {
      name = 'afpacket',
      mode = 'inline',
    }
  }
}

output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
	file = true,
	packet = false,
}

normalizer = {
  tcp = {
    ips = true,
  }
}

file_policy = {
  enable_type = true,
  enable_signature = true,
  rules = {
    use = {
      verdict = 'log', enable_file_type = true, enable_file_signature = true
    }
  }
}
1 Like

Yes this is a problem reject works but only with Tcp traffic because the reset that Snort sends causes the connection to collapse because Icmp and Udp do not have such a thing their traffic goes through. You can also test with the reputation module there you can see that Icmp goes through to the blocked Ip but connections with the browser are reset.
The problem is that the FW4 firewall is obviously bypassing Afpacket I could easily tell by using the same blocklist in Snort and Banip both showed the same ip block at the same time but only Banip really blocked it. It seems that snort only gets a copy of the data stream while the actual data stream remains untouched.

Wow, that seems alike a series gap. Is there a configuration that would allow a fully functional IPS mode?

EDIT: I see your reply in the other thread, Snort3 - How can I configure it? - #39 by xxxx

I am deep in the weeds here, running off on tangents and trying (and failing) at all sorts of configuration. I'm using John's single rule from the first post as my ruleset, and pinging the router (VM) on its wan interface.

local.lua
config   = 'IPS'      -- 'IDS' or 'IPS'
pipeline = 'afpacket' -- 'afpacket' or 'nfq'

if config == 'IDS' then
  mode   = tap
  action = 'alert'
else
  mode   = inline
  snort  = { ['-Q'] = true }
  action = 'block'  -- 'block' or 'drop' or 'reject' or ???
end

if pipeline == 'afpacket' then
  inputs = { 'eth0', 'br-lan' }
  vars   = {}
else
  inputs = { '4', '5', '6' } -- to match queue numbers in 'inet snort' table
  vars   = { 'device=eth0', 'queue_maxlen=8192', }
end

--------------------------------------------------------------------------------

ips = {
  mode            = mode,
  variables       = default_variables,
  action_override = action,
  include         = RULE_PATH .. '/snort.rules',
}

daq = {
  inputs      = inputs,
  module_dirs = { '/usr/lib/daq', },
  modules     = {
    {
      name = pipeline,
      mode = mode,
      variables = vars,
    }
  }
}
snort-table.sh
#!/bin/sh

verbose=false

disable_offload()
{
    # From https://forum.openwrt.org/t/snort-3-nfq-with-ips-mode/161172
    # https://blog.snort.org/2016/08/running-snort-on-commodity-hardware.html
    local wan=$(uci get network.wan.device)
    if ethtool -k $wan | grep -q -E '(tcp-segmentation-offload|receive-offload): on' ; then
        ethtool -K $wan   gro off   lro off   tso off  2> /dev/null
    fi
}
disable_offload


nft list tables | grep -q 'snort' && nft flush table inet snort

nft -f - <<TABLE
    table inet snort {
        chain IPS {
            type filter hook forward priority filter; policy accept;
            counter  queue flags bypass to 4-6
        }
    }
TABLE

$verbose && nft list table inet snort

exit 0

From WS = 10.1.1.186, I ping -c4 router.

  • IDS + afpacket - WS gets 4 responses; router shows four alerts in the log file. Completely as expected.

  • IPS + afpacket - WS gets 4 responses; router shows one alert. Should not have gotten responses. If I change action from block to drop, I see 4 and 4, just like with IDS...

  • IDS + nfq - WS gets 4 responses; router shows nothing. Bad.

  • IPS + nfq - Same as IDS + nfq. Bad.

Also of note is that the counter always shows zero, meaning I've got something broken in my nfq implementation somewhere, it's simply never passing packets to snort...

# nft list chain inet snort IPS
table inet snort {
        chain IPS {
                type filter hook forward priority filter; policy accept;
                counter packets 0 bytes 0 queue flags bypass to 4-6
        }
}

Give me some configs to try and I'll run them through the wringer...

AHA. If I put the queue on the input chain with action=block, then

  • IDS + nfq - WS 4x response, router shows 4x alerts. YES.
  • IPS + nfq - WS 4x timeout. Router shows a single alert. YES.

Also, finally proof that queue is used:

# nft list chain inet snort IPS
table inet snort {
        chain IPS {
                type filter hook input priority mangle; policy accept;
                counter packets 148 bytes 27901 queue flags bypass to 4-6
        }
}

Doing any ping from router passes through unscathed, though... Maybe I need to use the prerouting chain???

See Fig 1: https://wiki.nftables.org/wiki-nftables/index.php/Flowtables

@efahl -

EDIT: I believe I have it running but snort isn't doing anything as far as I can tell

  • I see very tiny CPU usage with show kernel threads.
  • My rule to match ICMP ping isn't even getting tripped.
# cat /etc/snort/rules/test.rules 
alert icmp any any <> any any (msg:"TEST ALERT"; icode:0; itype:8; sid:10000010; rev:001;)

System is RPi4. Internal NIC eth0 is LAN facing and USB NIC eth1 is WAN facing.

Running snort like this:
# snort -c /etc/snort/snort.lua --tweaks local
--------------------------------------------------
o")~   Snort++ 3.1.62.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading homenet.lua:
Finished homenet.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading local.lua:
Finished local.lua:
	snort
	ssh
	host_cache
	pop
	so_proxy
	stream_tcp
	mms
	smtp
	gtp_inspect
	packets
	dce_http_proxy
	alert_fast
	cip
	ips
	stream_icmp
	hosts
	normalizer
	binder
	wizard
	appid
	js_norm
	file_id
	http2_inspect
	http_inspect
	stream_udp
	ftp_data
	ftp_server
	search_engine
	port_scan
	dce_http_server
	dce_tcp
	dce_smb
	iec104
	telnet
	ssl
	sip
	rpc_decode
	netflow
	modbus
	host_tracker
	stream_user
	stream_ip
	process
	back_orifice
	classifications
	dnp3
	active
	trace
	ftp_client
	decode
	alerts
	stream
	references
	daq
	arp_spoof
	output
	network
	dns
	dce_udp
	imap
	file_policy
	s7commplus
	stream_file
Finished /etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading rules/snort.rules:
Finished rules/snort.rules:
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0   40127       0   40127    /etc/snort/snort.lua
--------------------------------------------------
rule counts
       total rules loaded: 40127
               text rules: 40127
            option chains: 40127
            chain headers: 1694
                 flowbits: 694
     flowbits not checked: 83
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any    1786     380     457     288
     src    1208     156       0       0
     dst    5060     920       0       0
    both     109      48       0       0
   total    8163    1504     457     288
--------------------------------------------------
service rule counts          to-srv  to-cli
                      bgp:        5       1
                   dcerpc:      573     496
                     dhcp:       19       5
                     dnp3:        0       6
                      dns:      268     104
                     drda:        5       0
                     file:      275     284
                      ftp:      193      21
                 ftp-data:      561    8639
                   gopher:        0       1
                     http:    14058   11590
                    http2:    14058   11590
                    http3:    14058   11590
                    ident:        1       0
                     imap:      612    8889
                      irc:       40      14
                     ircd:        9       3
                 java_rmi:       51       3
                 kerberos:       34       6
                     ldap:       42       6
                      ldp:        1       0
                   modbus:       34      10
                    mysql:       67       7
              netbios-dgm:        2       2
               netbios-ns:        8       4
              netbios-ssn:      809     541
                  netware:        2       0
                     nntp:        2       2
                      ntp:       36       7
                  openvpn:       16      16
                     pop3:      571    8893
               postgresql:        8       0
                  printer:        3       0
                   radius:        3       2
                      rdp:        3       8
                     rtmp:        1       4
                      rtp:        1       1
                     rtsp:       17       2
                      sip:      338      44
                     smtp:     7875     513
                     snmp:       46       9
                     ssdp:       13       0
                      ssh:       10       4
                      ssl:      173     202
                   sunrpc:      118       9
                   syslog:        4       0
                 teamview:        1       2
                   telnet:       55      15
                     tftp:       11       6
                      vnc:        1       1
               vnc-server:       12      10
                    total:    55103   63562
--------------------------------------------------
fast pattern groups
                      src: 486
                      dst: 1590
                      any: 8
                to_server: 127
                to_client: 92
--------------------------------------------------
search engine (ac_bnfa)
                instances: 1261
                 patterns: 133885
            pattern chars: 3092111
               num states: 2337128
         num match states: 346503
             memory scale: MB
             total memory: 76.6849
           pattern memory: 8.05497
        match list memory: 40.5348
        transition memory: 27.9412
        fast pattern only: 89388
appid: MaxRss diff: 0
appid: patterns loaded: 300
--------------------------------------------------
nfq DAQ configured to inline.
Commencing packet processing
++ [0] 4
/etc/snort/homenet.lua
HOME_NET = [[ 10.9.1.0/24 10.9.2.0/24 10.9.3.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"

/etc/snort/local.lua
snort = {}
snort["-Q"] = true

ips = {
  mode = inline,
  variables = default_variables,
	action_override = 'reject',
	--action_override = 'drop',
  include = RULE_PATH .. '/snort.rules',
}

daq = {
  module_dirs = {
    '/usr/lib/daq',
  },
	inputs = { '4' },
	modules = {
    {
      name = 'nfq',
      mode = 'inline',
			variables = { 'device=eth1' } -- eth1 is wan interface
    }
  }
}

-- To log to a file, uncomment the below and manually create the dir defined in output.logdir
output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
	file = true,
	packet = false,
}

--search_engine = { search_method = "hyperscan" }
--detection = { hyperscan_literals = true, pcre_to_regex = true }

normalizer = {
  tcp = {
    ips = true,
  }
}

file_policy = {
  enable_type = true,
  enable_signature = true,
  rules = {
    use = {
      verdict = 'log', enable_file_type = true, enable_file_signature = true
    }
  }
}

My firewall setup was just this two liner:

Can you detail how to apply your suggestion?

Create the queue as described in the post Snort 3 + NFQ with IPS mode - #18 by efahl the original commands have several problems including that the queue is always deleted when the firewall updates itself and the configuration is more powerful because the traffic is distributed to multiple queues so the limitation of a single queue is bypassed.

Ah, thanks. I did that and now I see CPU load when running snort but I still do not see that my ICMP ping rule is getting tripped...

You have not set the snaplen look in the other thread I analyzed your config, you need to set a snaplen from ~64000.

1 Like

I added -s 64000 to the snort start line. I am confused though... for IPS mode, shouldn't I be using pipeline = 'nfq' not pipeline = 'afpacket'?

I have modified my local.lua based on @efahl suggestion:

`/etc/snort/local.lua`
config   = 'IPS'      -- 'IDS' or 'IPS'
pipeline = 'afpacket' -- 'afpacket' or 'nfq'

if config == 'IDS' then
  mode   = tap
  action = 'alert'
else
  mode   = inline
  snort  = { ['-Q'] = true }
  action = 'drop'  -- 'block' or 'drop' or 'reject' or ???
end

if pipeline == 'afpacket' then
  inputs = { 'eth1' }
  vars   = {}
else
  inputs = { '4', '5', '6' } -- to match queue numbers in 'inet snort' table
  vars   = { 'device=eth1', 'queue_maxlen=8192', }
end

--------------------------------------------------------------------------------

ips = {
  mode            = mode,
  variables       = default_variables,
  action_override = action,
--  include         = RULE_PATH .. '/snort.rules',
  include         = RULE_PATH .. '/test.rules',
}

daq = {
  inputs      = inputs,
  module_dirs = { '/usr/lib/daq', },
  modules     = {
    {
      name = pipeline,
      mode = mode,
      variables = vars,
    }
  }
}

output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
	file = true,
	packet = false,
}

--search_engine = { search_method = "hyperscan" }
--detection = { hyperscan_literals = true, pcre_to_regex = true }

normalizer = {
  tcp = {
    ips = true,
  }
}

file_policy = {
  enable_type = true,
  enable_signature = true,
  rules = {
    use = {
      verdict = 'log', enable_file_type = true, enable_file_signature = true
    }
  }
}

And to be clear, I am starting snort like this:

# snort -c /etc/snort/snort.lua -s 64000 --tweaks local
1 Like

Oh that's crap what you are doing better pass the parameters by start line because the parameters are changeable for example it would be better to use 4 queues and more for your bandwidth because you have only one 4 threads unfortunately only 4 are possible that means you would have to change in the script of Efahl the line:
counter queue flags bypass to 4-6
to: counter queue flags bypass to 4-7.
Then you start snort with the parameters:
snort -q -c "/etc/snort/snort.lua" -i "4" -i "5" -i "6" - i "7" --daq-dir /usr/lib/daq --daq nfq -Q -z 4 -s 64000 --daq-var queue_maxlen=8192

As you can see with another queue also the z parameter has to be changed and this is easier solved with the command line.

Yeah, I'm a coder from waaaay back, so I put everything into the config files and minimize the command line. :grin:

(Aside: I'm working toward being able to specify all this stuff in UCI /etc/config/snort as settings, then generating the appropriate config when /etc/init.d/snort is launched.)

snaplen can be put into the config as a parameter of the daq section:

-z/--max-packet-threads (and many other CLI options) may be specified in the snort values:

  snort  = {
    ['-Q'] = true,
    ['--max-packet-threads'] = 3,
  }

The coding is not so useful in this case because the command line overwrites the values of the snort.lua also you can see so well with which important parameters Snort runs and for a not coder is not so nice because a missing/incorrect character quickly leads to the abort because of syntax error you must always remember that not every user is a programmer so I find the use of lua as a config file also quite off the old snort.conf files were better there. What would make sense would be a script where you enter the desired number of queues and which then automatically adjusts the number of queues in the queue start script and the i and z parameters in the service file.
Oh yes the variables = { 'device=eth1' } variable can be omitted for nfq I have not noticed any difference between being present and not being present.

Yes, exactly, and setting up the nft tables correspondingly. Here's a very rough draft of my current thinking.

# cat /etc/config/snort
config snort 'snort'
        option enabled '1'
        option config_dir '/etc/snort/'
        option mode 'ips' # or 'ids', maybe better names 'detectonly' and 'prevent'?
        option mode_action 'block' # 'alert', 'reject', don't know what makes sense yet
        option method 'nfq'  # or 'afpacket' or ???
        option nfq_queue_count '4'
        option ... maybe put max queue length and snaplen in here, too.

Once I get it (a lot) more mature, I'll get with @darksky as I believe John is the current maintainer of the OpenWrt snort package, and see if we can make this whole thing a lot easier to deploy. It's pretty wild right now, I've got a lot of questions yet about how various things behave.

My current experiments have gotten to the point where I can block

Test router is 10.1.1.20 on the WAN and 192.168.1.1 on the LAN.

LAN -> router-eth0
Sun May 28 14:56:28 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.121 -> 10.1.1.20
WAN -> router-eth0
Sun May 28 16:06:29 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 10.1.1.200 -> 10.1.1.20
LAN -> WAN
Sun May 28 16:06:52 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.121 -> 10.1.1.200
Sun May 28 16:07:46 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.121 -> 8.8.8.8
LAN -> router-br-lan
Sun May 28 16:08:27 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.121 -> 192.168.1.1
router -> router
Sun May 28 18:14:55 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 10.1.1.20 -> 10.1.1.20
Sun May 28 18:15:36 2023 auth.info snort: [1:10000010:1] "TEST ALERT" {ICMP} 192.168.1.1 -> 192.168.1.1

If I ping from the router to anything else, it gets through, e.g., ping -c4 8.8.8.8 (real WAN) or 10.1.1.200 (testing WAN) or 192.168.1.121 (testing LAN) all respond and no log entries are generated.

I'm using three queues, each in their own chain, along with three threads in snort:

inet snort table with three chains
# nft list table inet snort
table inet snort {
        chain input_ips {
                type filter hook input priority mangle; policy accept;
                counter   queue flags bypass to 4
        }

        chain forward_ips {
                type filter hook forward priority mangle; policy accept;
                counter   queue flags bypass to 5
        }

        chain prerouting_ips {
                type filter hook prerouting priority mangle; policy accept;
                counter   queue flags bypass to 6
        }
}
  1. Has anyone been able to block pings originating from the router itself? (This seems like a major item, as if your router is compromised, lateral movement through the network is really trivial.)

  2. Has anyone found a good reference for rule syntax? My attempts to create an ICMPv6 equivalent test rule have all failed.

As long as afpaket doesn't work properly, it falls out as an ips, there is only nfq and there no reject works, stay only alert drop and block, but I thought I had read somewhere that block kills the connection right away, drop would be the better choice. Pcap is a good IDS because it can also be bound to virtual network devices. The names are good, everyone understands that.

The problem that you can ping from the router could be due to the queue, the nftables makes differences between local and external packets according to my knowledge, because as it is in my Nftables table, the queue is in it with hook forward, but the local rules are under hook input/output. You'll probably need to create an extra queue for local traffic first and bind it to Snort.

//edit
nft 'add chain inet snort local { type filter hook output priority filter ; }'
nft insert rule inet snort local counter queue num 7 bypass

with this rules snort can block the output traffic from the router self.

  • This works to stop the ping test on a PC.
  • It is ignoring the logging to /mnt/mmcblk0p3/alert_fast.txt which is defined in my ok.lua
  • If I do not hide kernel threads, I see CPU saturation on several cores during a speed test which limts bandwidth limiting from over 1000 Mbps without running snort to around 100-200 Mbps.
Running snort CLI
# snort -c "/etc/snort/snort.lua" -i "4" -i "5" -i "6" -i "7" --daq-dir /usr/lib/daq --daq nfq -Q -z 4 -s 64000 --daq-var queue_maxlen=8192 --tweaks ok
--------------------------------------------------
o")~   Snort++ 3.1.62.0
--------------------------------------------------
Loading /etc/snort/snort.lua:
Loading homenet.lua:
Finished homenet.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading ok.lua:
Finished ok.lua:
	ssh
	host_cache
	pop
	so_proxy
	stream_tcp
	mms
	smtp
	gtp_inspect
	packets
	dce_http_proxy
	alert_fast
	ips
	stream_icmp
	hosts
	normalizer
	binder
	wizard
	appid
	js_norm
	file_id
	http2_inspect
	http_inspect
	stream_udp
	ftp_data
	ftp_server
	search_engine
	port_scan
	dce_http_server
	dce_tcp
	dce_smb
	iec104
	cip
	telnet
	ssl
	sip
	rpc_decode
	netflow
	modbus
	host_tracker
	stream_user
	stream_ip
	process
	back_orifice
	classifications
	dnp3
	active
	trace
	ftp_client
	decode
	alerts
	stream
	references
	daq
	arp_spoof
	output
	network
	dns
	dce_udp
	imap
	file_policy
	s7commplus
	stream_file
Finished /etc/snort/snort.lua:
Loading file_id.rules_file:
Loading file_magic.rules:
Finished file_magic.rules:
Finished file_id.rules_file:
Loading rules/test.rules:
Finished rules/test.rules:
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0     209       0     209    /etc/snort/snort.lua
--------------------------------------------------
rule counts
       total rules loaded: 209
               text rules: 209
            option chains: 209
            chain headers: 2
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any       0       0       1       0
   total       0       0       1       0
--------------------------------------------------
service rule counts          to-srv  to-cli
                   dcerpc:      208     208
                 ftp-data:      208     208
                     http:      208     208
                    http2:      208     208
                    http3:      208     208
                     imap:      208     208
              netbios-ssn:      208     208
                     pop3:      208     208
                     smtp:      208     208
                    total:     1872    1872
--------------------------------------------------
fast pattern groups
                to_server: 9
                to_client: 9
--------------------------------------------------
search engine (ac_bnfa)
                instances: 18
                 patterns: 3744
            pattern chars: 22572
               num states: 16002
         num match states: 3330
             memory scale: KB
             total memory: 617.291
           pattern memory: 168.275
        match list memory: 245.953
        transition memory: 200.812
appid: MaxRss diff: 2540
appid: patterns loaded: 300
--------------------------------------------------
nfq DAQ configured to inline.
Commencing packet processing
++ [0] 4
++ [1] 5
++ [2] 6
++ [3] 7
^C** caught int signal
== stopping
-- [0] 4
-- [2] 6
-- [1] 5
-- [3] 7
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                 received: 905754
                 analyzed: 905754
                    allow: 905285
                  replace: 4
                whitelist: 463
                blacklist: 2
                 rx_bytes: 954194408
--------------------------------------------------
codec
                    total: 905754      	(100.000%)
                 discards: 2948        	(  0.325%)
                    icmp4: 4           	(  0.000%)
                 icmp4_ip: 2           	(  0.000%)
                     ipv4: 905754      	(100.000%)
                      raw: 905754      	(100.000%)
                      tcp: 695482      	( 76.785%)
                      udp: 210268      	( 23.215%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
appid
                  packets: 902805
        processed_packets: 902548
          ignored_packets: 257
           total_sessions: 1196
       service_cache_adds: 214
             bytes_in_use: 32528
             items_in_use: 214
--------------------------------------------------
back_orifice
                  packets: 209041
--------------------------------------------------
binder
              raw_packets: 257
                new_flows: 1192
          service_changes: 147
                 inspects: 1449
--------------------------------------------------
detection
                 analyzed: 905754
               hard_evals: 3
            file_searches: 2
                   alerts: 1
             total_alerts: 1
                   logged: 1
--------------------------------------------------
dns
                  packets: 743
                 requests: 721
                responses: 22
--------------------------------------------------
file_id
              total_files: 2
          total_file_data: 943
     max_concurrent_files: 1
--------------------------------------------------
http_inspect
                    flows: 43
                    scans: 334
              reassembles: 326
              inspections: 326
                 requests: 156
                responses: 2
             get_requests: 156
       uri_normalizations: 2
  max_concurrent_sessions: 35
          pipelined_flows: 23
       pipelined_requests: 121
              total_bytes: 73202
--------------------------------------------------
normalizer
        test_tcp_trim_syn: 2
        test_tcp_trim_win: 48
             tcp_trim_win: 91025
          test_tcp_ts_nop: 89
             tcp_ips_data: 8
           test_tcp_block: 88939
--------------------------------------------------
port_scan
                  packets: 905754
                 trackers: 235
--------------------------------------------------
search_engine
     non_qualified_events: 2
         qualified_events: 1
           searched_bytes: 943
--------------------------------------------------
ssl
                  packets: 29039
                  decoded: 29039
             client_hello: 104
             server_hello: 104
              certificate: 39
              server_done: 119
      client_key_exchange: 34
      server_key_exchange: 39
            change_cipher: 198
       client_application: 720
       server_application: 27546
     unrecognized_records: 540
     handshakes_completed: 37
         sessions_ignored: 37
  max_concurrent_sessions: 24
--------------------------------------------------
stream
                    flows: 1192
             total_prunes: 96
              idle_prunes: 96
--------------------------------------------------
stream_icmp
                 sessions: 3
                      max: 1
                  created: 3
                 released: 3
--------------------------------------------------
stream_tcp
                 sessions: 264
                      max: 128
                  created: 264
                 released: 260
             instantiated: 264
                   setups: 264
                 restarts: 147
         discards_skipped: 88939
          invalid_seq_num: 42
              invalid_ack: 88869
                   events: 72
             syn_trackers: 141
            data_trackers: 119
              segs_queued: 307221
            segs_released: 307221
                segs_used: 301107
          rebuilt_packets: 29541
            rebuilt_bytes: 433646203
                 overlaps: 8
                     gaps: 3
        exceeded_max_segs: 91025
    payload_fully_trimmed: 4
          client_cleanups: 120
          server_cleanups: 36
              established: 3
                     syns: 141
                 syn_acks: 109
                   resets: 230
                     fins: 145
      inspector_fallbacks: 5
        partial_fallbacks: 22
                 max_segs: 3072
                max_bytes: 3555999
--------------------------------------------------
stream_udp
                 sessions: 925
                      max: 364
                  created: 929
                 released: 929
                 timeouts: 4
              total_bytes: 280454396
--------------------------------------------------
tcp
        bad_tcp4_checksum: 2640
--------------------------------------------------
udp
        bad_udp4_checksum: 308
--------------------------------------------------
wizard
                tcp_scans: 651
                 tcp_hits: 147
               tcp_misses: 12
                udp_scans: 230
               udp_misses: 230
--------------------------------------------------
Appid Statistics
--------------------------------------------------
detected apps and services
              Application: Services   Clients    Users      Payloads   Misc       Referred  
                  unknown: 513        731        0          133        0          0         
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
                  signals: 1
--------------------------------------------------
timing
                  runtime: 00:03:26
                  seconds: 206.231494
                 pkts/sec: 4392
                Mbits/sec: 35
o")~   Snort exiting
/etc/snort/ok.lau

This text will be hidden

ips = {
  mode = inline,
  variables = default_variables,
  action_override = 'block',
--  include = RULE_PATH .. '/snort.rules',
  include = RULE_PATH .. '/test.rules',
}

-- To log to a file, uncomment the below and manually create the dir defined in output.logdir
output.logdir = '/mnt/mmcblk0p3'
alert_fast = {
	file = true,
	packet = false,
}

normalizer = {
  tcp = {
    ips = true,
  }
}

file_policy = {
  enable_type = true,
  enable_signature = true,
  rules = {
    use = {
      verdict = 'log', enable_file_type = true, enable_file_signature = true
    }
  }
}
/etc/snort/snort-table.sh
#!/bin/sh

verbose=false

nft list tables | grep -q 'snort' && nft flush table inet snort

nft -f - <<TABLE
    table inet snort {
        chain IPS {
            type filter hook forward priority filter; policy accept;

            counter  queue flags bypass to 4-7

#           meta l4proto tcp               counter  queue flags bypass to 4
#           meta l4proto udp               counter  queue flags bypass to 5
#           meta l4proto != { tcp, udp }   counter  queue flags bypass to 6
        }
    }
TABLE

$verbose && nft list table inet snort

exit 0

No, using the setup described in the post right before this one, pings on a box behind the router are blocked but on the router itself, they are not.

From PC:

% ping www.google.com
PING www.google.com (172.217.1.100) 56(84) bytes of data.

From router:

# ping www.google.com
PING www.google.com (142.250.191.228): 56 data bytes
64 bytes from 142.250.191.228: seq=0 ttl=56 time=18.867 ms
64 bytes from 142.250.191.228: seq=1 ttl=56 time=20.191 ms
^C
--- www.google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss

Yes that was to be expected that the bandwidth goes down Snort is very demanding has always been so. Sure the logging does not work for me it is but note that Snort creates multiple log files one per queue which then 0_alert_fast.txt 1_alert_fast.txt etc are called. The problem that Snort does not block local pings I have already solved in this thread this is due to the nature of the queue Nfttables makes a distinction between local traffic to and from the device and traffic passing through the device from other devices you need to create an extra queue with the hook input or output.

1 Like