snort ips rule - reject work but drop and sdrop dont work

Thomas Anderson picture Thomas Anderson · Mar 2, 2014 · Viewed 14.4k times · Source

i try to run snort as an IPS. so i install snort on ubuntu server via apt-get and config daq_type as afpacket and daq_mode as inline. and 2 interface like eth1:eth2 then i write a rule for test

reject tcp any any -> any any (sid: 1000005;)

it work but when i change it to

drop tcp any any -> any any (sid: 1000005;)

it does not work. and when i change action to sdrop the result is same. and i install snort from source but the result was same. can you help to to write true rule?

Answer

johnjg12 picture johnjg12 · Mar 19, 2014

Snort can operate in three different modes namely tap (passive), inline, and inline-test. If you want to use drop rules to drop packets you need to make sure that you are running in inline mode. From the looks of it you are probably not in inline mode. The reason "reject" is working is because it will send a reset for TCP, which will stop the rest of that stream, or it will send an ICMP port unreachable message back for UDP. See the following explanations from the snort manual (http://manual.snort.org/node29.html) on rule headers:

drop - block and log the packet

reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.

sdrop - block the packet but do not log it.

If snort is not running in inline mode it is not going to actually drop the packet(s), it will just generate an alert (for drop) and pass the packet(s).

See the following from the snort manual on the three modes: http://manual.snort.org/node11.html#SECTION00295100000000000000 Specifically, inline mode is described as follows:

When Snort is in Inline mode, it acts as an IPS allowing drop rules to trigger. Snort can be configured to run in inline mode using the command line argument -Q and snort config option policy_mode as follows:

snort -Q
config policy_mode:inline

You need to make sure the line "config policy_mode:inline" in is you snort.conf and when you are running snort you pass the "-Q" option. If both of these are not done it will not drop. Hope this helps!