[Snort-devel] Fwd: Snort blocking connection but not logging the drop

Cody Brugh cbrugh at ...2499...
Mon May 12 14:53:29 EDT 2014


I just disabled the tcp normalize and cleaned up some pre-processeors that
I don't need, however I am still being dropped when trying to connect to
the API with snort ON.  Attached are the stats from a quick run where I
tried to connect 4-5 times.  Let me know if you see something or other
suggestions.

Thanks,
Cody


On Mon, May 12, 2014 at 1:05 PM, Russ Combs (rucombs) <rucombs at ...3461...>wrote:

>
>  ------------------------------
> *From:* Cody Brugh [cbrugh at ...2499...]
> *Sent:* Monday, May 12, 2014 12:53 PM
>
> *To:* Russ Combs (rucombs)
> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
> logging the drop
>
>   What all is the normalizer used for?  Will turning it off make me
> vulnerable?
>
> * The normalizer does various scrubbing and blocking to improve
> detection.  You need to assess your security position with or without it.
> For details on the normalizer, check here:
> http://manual.snort.org/node168.html.
>
>  Just trying to understand what that mechanism does.
>
>  Thanks,
> Cody
>
> On May 12, 2014, at 12:02 PM, "Russ Combs (rucombs)" <rucombs at ...3461...>
> wrote:
>
>   The normalizer is blocking packets:
>
>              tcp::block: 272
>
> You can prevent that by commenting out the normalize_tcp line from your
> conf.
>
> You can debug it a little further by enabling all preprocessor rules by
> adding / uncommenting them in your conf or by adding this to your conf:
>
>     config autogenerate_preprocessor_decoder_rules
>
> Then you should see why the normalizer is blocking.  When I do that with
> the pcap you sent I see a bad TCP reset.
>
>  ------------------------------
> *From:* Cody Brugh [cbrugh at ...2499...]
> *Sent:* Monday, May 12, 2014 11:52 AM
> *To:* Russ Combs (rucombs)
> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
> logging the drop
>
>   Attached is the shutdown stats.  Let me know what you find/suggest.
>
> Thanks,
> Cody
>
>
> On Mon, May 12, 2014 at 11:41 AM, Russ Combs (rucombs) <rucombs at ...3461...>wrote:
>
>>
>>  ------------------------------
>> *From:* Cody Brugh [cbrugh at ...2499...]
>> *Sent:* Monday, May 12, 2014 11:18 AM
>>
>> *To:* Russ Combs (rucombs)
>> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>> logging the drop
>>
>>    How do I gather those stats?  Are you looking for this?
>> http://manual.snort.org/node20.html
>>
>>  * Not those.  Do a clean start, run your traffic, and then stop Snort or
>> give it a usr1 signal and check the output.  Check console or syslog
>> depending on how you run.
>>
>>  Thanks,
>> Cody
>>
>>
>> On Mon, May 12, 2014 at 11:05 AM, Russ Combs (rucombs) <rucombs at ...3461...
>> > wrote:
>>
>>>  What are your shutdown / usr1 stats?  Do they show normalizer blocks?
>>>
>>>  ------------------------------
>>> *From:* Cody Brugh [cbrugh at ...2499...]
>>> *Sent:* Monday, May 12, 2014 10:29 AM
>>> *To:* Russ Combs (rucombs)
>>> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>>
>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>>> logging the drop
>>>
>>>    Can you confirm you received my PCAP file?  I would really like to
>>> get this issue resolved so I can work with their API.
>>>
>>> Let me know the status please.
>>>
>>>
>>> On Fri, May 9, 2014 at 9:02 AM, Cody Brugh <cbrugh at ...2499...> wrote:
>>>
>>>>  Attached is the pcap of the stamps.com packet capture... can someone
>>>> check and see what I should do?
>>>>
>>>>  Thanks,
>>>> Cody
>>>>
>>>>
>>>> On Fri, May 9, 2014 at 8:19 AM, Russ Combs (rucombs) <rucombs at ...3461...
>>>> > wrote:
>>>>
>>>>>
>>>>>  ------------------------------
>>>>> *From:* Joel Esler (jesler)
>>>>> *Sent:* Thursday, May 08, 2014 8:51 PM
>>>>> *To:* Cody Brugh
>>>>> *Cc:* snort-devel at lists.sourceforge.net
>>>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>>>>> logging the drop
>>>>>
>>>>>   Can you send your configuration file, and a packet capture of the
>>>>> session?
>>>>>
>>>>>  * Can you also send your usr1 / shutdown stats?
>>>>>
>>>>>
>>>>> --
>>>>> Joel Esler
>>>>> Sent from my iPhone
>>>>>
>>>>> On May 8, 2014, at 20:49, "Cody Brugh" <cbrugh at ...2499...> wrote:
>>>>>
>>>>>   Hi,
>>>>>
>>>>>  Our dev team is trying to work with stamps.com API however our
>>>>> in-line snort box is blocking the return connection for unknown reasons.
>>>>> When I turn off snort the connection flows perfectly.  Looking at snorby I
>>>>> see no event of the connection being dropped.  I've included the command we
>>>>> are running from a internal server that is behind the snort.  I also
>>>>> included the tcpdump from this same server for the connection.
>>>>>
>>>>> wget https://216.52.211.91/label/health.aspx
>>>>> --2014-05-08 20:37:33--  https://216.52.211.91/label/health.aspx
>>>>> Connecting to 216.52.211.91:443... connected.
>>>>>
>>>>>
>>>>> 20:37:33.443962 IP 10.2.2.1.52661 > 216.52.211.91.443: Flags [F.], seq
>>>>> 3298140140, ack 2463587275, win 8208, options [nop,nop,TS val 2824990869
>>>>> ecr 3731400338], length 0
>>>>> 20:37:33.444478 IP 216.52.211.91.443 > 10.2.2.1.52661: Flags [R.], seq
>>>>> 1, ack 1, win 8208, length 0
>>>>> 20:37:33.989510 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [S], seq
>>>>> 3306929108, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val
>>>>> 2824990923 ecr 0], length 0
>>>>> 20:37:34.071548 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [S.], seq
>>>>> 361712399, ack 3306929109, win 4140, options [mss 1380,nop,wscale
>>>>> 3,nop,nop,TS val 3731482846 ecr 2824990923,sackOK,eol], length 0
>>>>> 20:37:34.071610 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack
>>>>> 1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 0
>>>>> 20:37:34.071750 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [P.], ack
>>>>> 1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 139
>>>>> 20:37:34.154367 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack
>>>>> 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length
>>>>> 1368
>>>>> 20:37:34.154462 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack
>>>>> 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length
>>>>> 1368
>>>>> 20:37:34.154490 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack
>>>>> 2737, win 7877, options [nop,nop,TS val 2824990940 ecr 3731482928], length 0
>>>>>
>>>>> 20:37:44.153373 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [R.], seq
>>>>> 4233:4288, ack 140, win 534, length 55
>>>>>
>>>>>  any help or suggestions would be great, I would like to disable the
>>>>> rule that is blocking this connection but like I said I cannot see which
>>>>> rule blocked it.
>>>>>
>>>>>  Thanks.
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Is your legacy SCM system holding you back? Join Perforce May 7 to
>>>>> find out:
>>>>> • 3 signs your SCM is hindering your productivity
>>>>> • Requirements for releasing software faster
>>>>> • Expert tips and advice for migrating your SCM now
>>>>> http://p.sf.net/sfu/perforce
>>>>>
>>>>>  _______________________________________________
>>>>> Snort-devel mailing list
>>>>> Snort-devel at lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>> Archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>>>
>>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140512/c626520e/attachment.html>
-------------- next part --------------
===============================================================================
Run time for packet processing was 23.62363 seconds
Snort processed 29786 packets.
Snort ran for 0 days 0 hours 0 minutes 23 seconds
   Pkts/sec:         1295
===============================================================================
Memory usage summary:
  Total non-mmapped bytes (arena):       177520640
  Bytes in mapped regions (hblkhd):      13864960
  Total allocated space (uordblks):      97386752
  Total free space (fordblks):           80133888
  Topmost releasable block (keepcost):   117072
===============================================================================
Packet I/O Totals:
   Received:        29785
   Analyzed:        29786 (100.003%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            2
===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:        29867 (100.000%)
       VLAN:           19 (  0.064%)
        IP4:        29805 ( 99.792%)
       Frag:            0 (  0.000%)
       ICMP:           86 (  0.288%)
        UDP:          402 (  1.346%)
        TCP:        29244 ( 97.914%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:           37 (  0.124%)
        IPX:            0 (  0.000%)
   Eth Loop:            2 (  0.007%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:           57 (  0.191%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:           57 (  0.191%)
      Other:           39 (  0.131%)
Bad Chk Sum:           56 (  0.187%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:           47 (  0.157%)
     S5 G 2:           34 (  0.114%)
      Total:        29867
===============================================================================
Action Stats:
     Alerts:            1 (  0.003%)
     Logged:            1 (  0.003%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:        19896 ( 66.799%)
      Block:            2 (  0.007%)
    Replace:            0 (  0.000%)
  Whitelist:         9887 ( 33.195%)
  Blacklist:            1 (  0.003%)
     Ignore:            0 (  0.000%)
===============================================================================
Normalizer statistics:
              ip4::trim: 0
               ip4::tos: 0
                ip4::df: 0
                ip4::rf: 0
               ip4::ttl: 0
              ip4::opts: 0
            icmp4::echo: 0
               ip6::ttl: 0
              ip6::opts: 0
            icmp6::echo: 0
           tcp::syn_opt: 0
            tcp::ts_ecr: 0
               tcp::opt: 0
               tcp::pad: 0
               tcp::rsv: 0
           tcp::ecn_pkt: 0
                tcp::ns: 0
               tcp::urg: 0
               tcp::urp: 0
              tcp::trim: 0
           tcp::ecn_ssn: 0
            tcp::ts_nop: 0
          tcp::ips_data: 0
             tcp::block: 0
===============================================================================
Stream5 statistics:
            Total sessions: 520
              TCP sessions: 316
              UDP sessions: 204
             ICMP sessions: 0
               IP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
               ICMP Prunes: 0
                 IP Prunes: 0
TCP StreamTrackers Created: 316
TCP StreamTrackers Deleted: 316
              TCP Timeouts: 0
              TCP Overlaps: 0
       TCP Segments Queued: 10470
     TCP Segments Released: 10470
       TCP Rebuilt Packets: 1818
         TCP Segments Used: 10363
              TCP Discards: 13
                  TCP Gaps: 43
      UDP Sessions Created: 204
      UDP Sessions Deleted: 204
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 26
           Internal Events: 0
           TCP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 19218
           UDP Port Filter
                  Filtered: 0
                 Inspected: 0
                   Tracked: 204
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                         2         
    GET methods:                          344       
    HTTP Request Headers extracted:       346       
    HTTP Request Cookies extracted:       286       
    Post parameters extracted:            2         
    HTTP response Headers extracted:      326       
    HTTP Response Cookies extracted:      29        
    Unicode:                              0         
    Double unicode:                       0         
    Non-ASCII representable:              0         
    Directory traversals:                 0         
    Extra slashes ("//"):                 6         
    Self-referencing paths ("./"):        0         
    HTTP Response Gzip packets extracted: 127       
    Gzip Compressed Data Processed:       624237.00 
    Gzip Decompressed Data Processed:     2207368.00
    Total packets processed:              13259     
===============================================================================
SMTP Preprocessor Statistics
  Total sessions                                    : 12
  Max concurrent sessions                           : 9
  Base64 attachments decoded                        : 1
  Total Base64 decoded bytes                        : 4053
  Quoted-Printable attachments decoded              : 8
  Total Quoted decoded bytes                        : 50745
  UU attachments decoded                            : 0
  Total UU decoded bytes                            : 0
  Non-Encoded MIME attachments extracted            : 10
  Total Non-Encoded MIME bytes extracted            : 2697
===============================================================================
Reputation Preprocessor Statistics
  Total Memory Allocated: 584128
  Number of packets whitelisted: 9887
===============================================================================


More information about the Snort-devel mailing list