[Snort-devel] Fwd: Snort blocking connection but not logging the drop

Cody Brugh cbrugh at ...2499...
Mon May 12 15:01:57 EDT 2014


That's the thing, I don't know what rule is being hit as it doesn't show in sborby. Is there a way to show the rule that was triggered?  Maybe that is done with the perf monitoring stuff?



> On May 12, 2014, at 2:59 PM, "Russ Combs (rucombs)" <rucombs at ...3461...> wrote:
> 
> 
> From: Cody Brugh [cbrugh at ...2499...]
> Sent: Monday, May 12, 2014 2:53 PM
> To: Russ Combs (rucombs)
> Cc: Joel Esler (jesler); snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop
> 
> I just disabled the tcp normalize and cleaned up some pre-processeors that I don't need, however I am still being dropped when trying to connect to the API with snort ON.  Attached are the stats from a quick run where I tried to connect 4-5 times.  Let me know if you see something or other suggestions.
> 
> * You have 1 alert, 2 blocks, 1 blacklisted, and 2 injects.  I would start by changing the rule that is firing from drop to alert.
> 
> Thanks,
> Cody
> 
> 
>> On Mon, May 12, 2014 at 1:05 PM, Russ Combs (rucombs) <rucombs at ...3482....> wrote:
>> 
>> From: Cody Brugh [cbrugh at ...2499...]
>> Sent: Monday, May 12, 2014 12:53 PM
>> 
>> To: Russ Combs (rucombs)
>> Cc: Joel Esler (jesler); snort-devel at lists.sourceforge.net
>> Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop
>> 
>> What all is the normalizer used for?  Will turning it off make me vulnerable?
>> 
>> * The normalizer does various scrubbing and blocking to improve detection.  You need to assess your security position with or without it.  For details on the normalizer, check here:  http://manual.snort.org/node168.html.
>> 
>> Just trying to understand what that mechanism does. 
>> 
>> Thanks,
>> Cody
>> 
>> On May 12, 2014, at 12:02 PM, "Russ Combs (rucombs)" <rucombs at ...3461...> wrote:
>> 
>>> The normalizer is blocking packets:
>>> 
>>>              tcp::block: 272
>>> 
>>> You can prevent that by commenting out the normalize_tcp line from your conf.
>>> 
>>> You can debug it a little further by enabling all preprocessor rules by adding / uncommenting them in your conf or by adding this to your conf:
>>> 
>>>     config autogenerate_preprocessor_decoder_rules
>>> 
>>> Then you should see why the normalizer is blocking.  When I do that with the pcap you sent I see a bad TCP reset.
>>> 
>>> From: Cody Brugh [cbrugh at ...2499...]
>>> Sent: Monday, May 12, 2014 11:52 AM
>>> To: Russ Combs (rucombs)
>>> Cc: Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>> Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop
>>> 
>>> Attached is the shutdown stats.  Let me know what you find/suggest.
>>> 
>>> Thanks,
>>> Cody
>>> 
>>> 
>>>> On Mon, May 12, 2014 at 11:41 AM, Russ Combs (rucombs) <rucombs at ...3497...1...> wrote:
>>>> 
>>>> From: Cody Brugh [cbrugh at ...2499...]
>>>> Sent: Monday, May 12, 2014 11:18 AM
>>>> 
>>>> To: Russ Combs (rucombs)
>>>> Cc: Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>>> Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop
>>>> 
>>>> How do I gather those stats?  Are you looking for this?  http://manual.snort.org/node20.html
>>>> 
>>>> * Not those.  Do a clean start, run your traffic, and then stop Snort or give it a usr1 signal and check the output.  Check console or syslog depending on how you run.
>>>> 
>>>> Thanks,
>>>> Cody
>>>> 
>>>> 
>>>>> On Mon, May 12, 2014 at 11:05 AM, Russ Combs (rucombs) <rucombs at ...3408...61...> wrote:
>>>>> What are your shutdown / usr1 stats?  Do they show normalizer blocks?
>>>>> 
>>>>> From: Cody Brugh [cbrugh at ...2499...]
>>>>> Sent: Monday, May 12, 2014 10:29 AM
>>>>> To: Russ Combs (rucombs)
>>>>> Cc: Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>>>> 
>>>>> Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop
>>>>> 
>>>>> Can you confirm you received my PCAP file?  I would really like to get this issue resolved so I can work with their API.
>>>>> 
>>>>> Let me know the status please.
>>>>> 
>>>>> 
>>>>>> On Fri, May 9, 2014 at 9:02 AM, Cody Brugh <cbrugh at ...2499...> wrote:
>>>>>> Attached is the pcap of the stamps.com packet capture... can someone check and see what I should do?
>>>>>> 
>>>>>> Thanks,
>>>>>> Cody
>>>>>> 
>>>>>> 
>>>>>>> On Fri, May 9, 2014 at 8:19 AM, Russ Combs (rucombs) <rucombs at ...3408...61...> wrote:
>>>>>>> 
>>>>>>> From: Joel Esler (jesler)
>>>>>>> Sent: Thursday, May 08, 2014 8:51 PM
>>>>>>> To: Cody Brugh
>>>>>>> Cc: snort-devel at lists.sourceforge.net
>>>>>>> Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop
>>>>>>> 
>>>>>>> Can you send your configuration file, and a packet capture of the session?
>>>>>>> 
>>>>>>> * Can you also send your usr1 / shutdown stats?
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> Joel Esler
>>>>>>> Sent from my iPhone
>>>>>>> 
>>>>>>> On May 8, 2014, at 20:49, "Cody Brugh" <cbrugh at ...2499...> wrote:
>>>>>>> 
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> Our dev team is trying to work with stamps.com API however our in-line snort box is blocking the return connection for unknown reasons.  When I turn off snort the connection flows perfectly.  Looking at snorby I see no event of the connection being dropped.  I've included the command we are running from a internal server that is behind the snort.  I also included the tcpdump from this same server for the connection.
>>>>>>>> 
>>>>>>>> wget https://216.52.211.91/label/health.aspx
>>>>>>>> --2014-05-08 20:37:33--  https://216.52.211.91/label/health.aspx
>>>>>>>> Connecting to 216.52.211.91:443... connected.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 20:37:33.443962 IP 10.2.2.1.52661 > 216.52.211.91.443: Flags [F.], seq 3298140140, ack 2463587275, win 8208, options [nop,nop,TS val 2824990869 ecr 3731400338], length 0
>>>>>>>> 20:37:33.444478 IP 216.52.211.91.443 > 10.2.2.1.52661: Flags [R.], seq 1, ack 1, win 8208, length 0
>>>>>>>> 20:37:33.989510 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [S], seq 3306929108, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 2824990923 ecr 0], length 0
>>>>>>>> 20:37:34.071548 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [S.], seq 361712399, ack 3306929109, win 4140, options [mss 1380,nop,wscale 3,nop,nop,TS val 3731482846 ecr 2824990923,sackOK,eol], length 0
>>>>>>>> 20:37:34.071610 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack 1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 0
>>>>>>>> 20:37:34.071750 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [P.], ack 1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 139
>>>>>>>> 20:37:34.154367 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length 1368
>>>>>>>> 20:37:34.154462 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length 1368
>>>>>>>> 20:37:34.154490 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack 2737, win 7877, options [nop,nop,TS val 2824990940 ecr 3731482928], length 0
>>>>>>>> 
>>>>>>>> 20:37:44.153373 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [R.], seq 4233:4288, ack 140, win 534, length 55
>>>>>>>> 
>>>>>>>> any help or suggestions would be great, I would like to disable the rule that is blocking this connection but like I said I cannot see which rule blocked it.
>>>>>>>> 
>>>>>>>> Thanks.
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
>>>>>>>> • 3 signs your SCM is hindering your productivity
>>>>>>>> • Requirements for releasing software faster
>>>>>>>> • Expert tips and advice for migrating your SCM now
>>>>>>>> http://p.sf.net/sfu/perforce
>>>>>>>> _______________________________________________
>>>>>>>> Snort-devel mailing list
>>>>>>>> Snort-devel at lists.sourceforge.net
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>>>> Archive:
>>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>>>>>> 
>>>>>>>> Please visit http://blog.snort.org for the latest news about Snort!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140512/6dd5f457/attachment.html>


More information about the Snort-devel mailing list