[Snort-devel] Fwd: Snort blocking connection but not logging the drop

Cody Brugh cbrugh at ...2499...
Mon May 12 11:18:49 EDT 2014


How do I gather those stats?  Are you looking for this?
http://manual.snort.org/node20.html

Thanks,
Cody


On Mon, May 12, 2014 at 11:05 AM, Russ Combs (rucombs) <rucombs at ...3461...>wrote:

>  What are your shutdown / usr1 stats?  Do they show normalizer blocks?
>
>  ------------------------------
> *From:* Cody Brugh [cbrugh at ...2499...]
> *Sent:* Monday, May 12, 2014 10:29 AM
> *To:* Russ Combs (rucombs)
> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>
> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
> logging the drop
>
>   Can you confirm you received my PCAP file?  I would really like to get
> this issue resolved so I can work with their API.
>
> Let me know the status please.
>
>
> On Fri, May 9, 2014 at 9:02 AM, Cody Brugh <cbrugh at ...2499...> wrote:
>
>>  Attached is the pcap of the stamps.com packet capture... can someone
>> check and see what I should do?
>>
>>  Thanks,
>> Cody
>>
>>
>> On Fri, May 9, 2014 at 8:19 AM, Russ Combs (rucombs) <rucombs at ...3461...>wrote:
>>
>>>
>>>  ------------------------------
>>> *From:* Joel Esler (jesler)
>>> *Sent:* Thursday, May 08, 2014 8:51 PM
>>> *To:* Cody Brugh
>>> *Cc:* snort-devel at lists.sourceforge.net
>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>>> logging the drop
>>>
>>>   Can you send your configuration file, and a packet capture of the
>>> session?
>>>
>>>  * Can you also send your usr1 / shutdown stats?
>>>
>>>
>>> --
>>> Joel Esler
>>> Sent from my iPhone
>>>
>>> On May 8, 2014, at 20:49, "Cody Brugh" <cbrugh at ...2499...> wrote:
>>>
>>>   Hi,
>>>
>>>  Our dev team is trying to work with stamps.com API however our in-line
>>> snort box is blocking the return connection for unknown reasons.  When I
>>> turn off snort the connection flows perfectly.  Looking at snorby I see no
>>> event of the connection being dropped.  I've included the command we are
>>> running from a internal server that is behind the snort.  I also included
>>> the tcpdump from this same server for the connection.
>>>
>>> wget https://216.52.211.91/label/health.aspx
>>> --2014-05-08 20:37:33--  https://216.52.211.91/label/health.aspx
>>> Connecting to 216.52.211.91:443... connected.
>>>
>>>
>>> 20:37:33.443962 IP 10.2.2.1.52661 > 216.52.211.91.443: Flags [F.], seq
>>> 3298140140, ack 2463587275, win 8208, options [nop,nop,TS val 2824990869
>>> ecr 3731400338], length 0
>>> 20:37:33.444478 IP 216.52.211.91.443 > 10.2.2.1.52661: Flags [R.], seq
>>> 1, ack 1, win 8208, length 0
>>> 20:37:33.989510 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [S], seq
>>> 3306929108, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val
>>> 2824990923 ecr 0], length 0
>>> 20:37:34.071548 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [S.], seq
>>> 361712399, ack 3306929109, win 4140, options [mss 1380,nop,wscale
>>> 3,nop,nop,TS val 3731482846 ecr 2824990923,sackOK,eol], length 0
>>> 20:37:34.071610 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack 1,
>>> win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 0
>>> 20:37:34.071750 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [P.], ack
>>> 1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 139
>>> 20:37:34.154367 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack
>>> 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length
>>> 1368
>>> 20:37:34.154462 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack
>>> 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length
>>> 1368
>>> 20:37:34.154490 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack
>>> 2737, win 7877, options [nop,nop,TS val 2824990940 ecr 3731482928], length 0
>>>
>>> 20:37:44.153373 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [R.], seq
>>> 4233:4288, ack 140, win 534, length 55
>>>
>>>  any help or suggestions would be great, I would like to disable the
>>> rule that is blocking this connection but like I said I cannot see which
>>> rule blocked it.
>>>
>>>  Thanks.
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Is your legacy SCM system holding you back? Join Perforce May 7 to find
>>> out:
>>> • 3 signs your SCM is hindering your productivity
>>> • Requirements for releasing software faster
>>> • Expert tips and advice for migrating your SCM now
>>> http://p.sf.net/sfu/perforce
>>>
>>>  _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140512/55349a64/attachment.html>


More information about the Snort-devel mailing list