[Snort-devel] Fwd: Snort blocking connection but not logging the drop

Cody Brugh cbrugh at ...2499...
Thu May 8 20:47:11 EDT 2014


Hi,

Our dev team is trying to work with stamps.com API however our in-line
snort box is blocking the return connection for unknown reasons.  When I
turn off snort the connection flows perfectly.  Looking at snorby I see no
event of the connection being dropped.  I've included the command we are
running from a internal server that is behind the snort.  I also included
the tcpdump from this same server for the connection.

wget https://216.52.211.91/label/health.aspx
--2014-05-08 20:37:33--  https://216.52.211.91/label/health.aspx
Connecting to 216.52.211.91:443... connected.


20:37:33.443962 IP 10.2.2.1.52661 > 216.52.211.91.443: Flags [F.], seq
3298140140, ack 2463587275, win 8208, options [nop,nop,TS val 2824990869
ecr 3731400338], length 0
20:37:33.444478 IP 216.52.211.91.443 > 10.2.2.1.52661: Flags [R.], seq 1,
ack 1, win 8208, length 0
20:37:33.989510 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [S], seq
3306929108, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val
2824990923 ecr 0], length 0
20:37:34.071548 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [S.], seq
361712399, ack 3306929109, win 4140, options [mss 1380,nop,wscale
3,nop,nop,TS val 3731482846 ecr 2824990923,sackOK,eol], length 0
20:37:34.071610 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack 1,
win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 0
20:37:34.071750 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [P.], ack 1,
win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 139
20:37:34.154367 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack 140,
win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length 1368
20:37:34.154462 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack 140,
win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length 1368
20:37:34.154490 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack 2737,
win 7877, options [nop,nop,TS val 2824990940 ecr 3731482928], length 0

20:37:44.153373 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [R.], seq
4233:4288, ack 140, win 534, length 55

any help or suggestions would be great, I would like to disable the rule
that is blocking this connection but like I said I cannot see which rule
blocked it.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140508/af6595c1/attachment.html>


More information about the Snort-devel mailing list