[Snort-devel] Fwd: Snort blocking connection but not logging the drop

Cody Brugh cbrugh at ...2499...
Mon May 12 16:11:03 EDT 2014


I now see my other alerts/drops coming in on the console, however when I
run the API command I get nothing from a alert/drop status...  What else
could be blocking it?



On Mon, May 12, 2014 at 4:09 PM, Cody Brugh <cbrugh at ...2499...> wrote:

> Attached.
>
>
> On Mon, May 12, 2014 at 4:05 PM, Russ Combs (rucombs) <rucombs at ...3461...>wrote:
>
>>
>>  ------------------------------
>> *From:* Cody Brugh [cbrugh at ...2499...]
>> *Sent:* Monday, May 12, 2014 3:59 PM
>>
>> *To:* Russ Combs (rucombs)
>> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>> logging the drop
>>
>>   Alright, I done that and run my command but see nothing... looking at
>> the console and /var/log/messages...
>>
>> /usr/local/bin/snort -M -A console -q --daq afpacket -i eth2:eth3 -Q
>> --daq-var buffer_size_mb=2048MB -c /etc/snort/snort.conf
>>
>> * Ok, do this and send the whole output file (snort.log) after stopping
>> with ctl-c:
>>
>> /usr/local/bin/snort -A cmg --daq afpacket -i eth2:eth3 -Q --daq-var
>> buffer_size_mb=2048MB -c /etc/snort/snort.conf &> snort.log
>>
>>  This is very odd
>>
>>
>> On Mon, May 12, 2014 at 3:24 PM, Russ Combs (rucombs) <rucombs at ...3461...>wrote:
>>
>>>
>>>  ------------------------------
>>> *From:* Cody Brugh [cbrugh at ...2499...]
>>> *Sent:* Monday, May 12, 2014 3:01 PM
>>>
>>> *To:* Russ Combs (rucombs)
>>> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>>> logging the drop
>>>
>>>   That's the thing, I don't know what rule is being hit as it doesn't
>>> show in sborby. Is there a way to show the rule that was triggered?  Maybe
>>> that is done with the perf monitoring stuff?
>>>
>>>  * I can't help you with Snorby.  Since this is easy for you to
>>> reproduce, I suggest running Snort from the command line directly, no
>>> scripts, and no -M option.  Add -A cmg -q to your command line.  You will
>>> see the alert.
>>>
>>>
>>>
>>> On May 12, 2014, at 2:59 PM, "Russ Combs (rucombs)" <rucombs at ...3461...>
>>> wrote:
>>>
>>>
>>>  ------------------------------
>>> *From:* Cody Brugh [cbrugh at ...2499...]
>>> *Sent:* Monday, May 12, 2014 2:53 PM
>>> *To:* Russ Combs (rucombs)
>>> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>>> logging the drop
>>>
>>>   I just disabled the tcp normalize and cleaned up some pre-processeors
>>> that I don't need, however I am still being dropped when trying to connect
>>> to the API with snort ON.  Attached are the stats from a quick run where I
>>> tried to connect 4-5 times.  Let me know if you see something or other
>>> suggestions.
>>>
>>> * You have 1 alert, 2 blocks, 1 blacklisted, and 2 injects.  I would
>>> start by changing the rule that is firing from drop to alert.
>>>
>>> Thanks,
>>> Cody
>>>
>>>
>>> On Mon, May 12, 2014 at 1:05 PM, Russ Combs (rucombs) <rucombs at ...3461...
>>> > wrote:
>>>
>>>>
>>>>  ------------------------------
>>>> *From:* Cody Brugh [cbrugh at ...2499...]
>>>> *Sent:* Monday, May 12, 2014 12:53 PM
>>>>
>>>> *To:* Russ Combs (rucombs)
>>>> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>>>> logging the drop
>>>>
>>>>   What all is the normalizer used for?  Will turning it off make me
>>>> vulnerable?
>>>>
>>>>  * The normalizer does various scrubbing and blocking to improve
>>>> detection.  You need to assess your security position with or without it.
>>>> For details on the normalizer, check here:
>>>> http://manual.snort.org/node168.html.
>>>>
>>>>  Just trying to understand what that mechanism does.
>>>>
>>>>  Thanks,
>>>> Cody
>>>>
>>>> On May 12, 2014, at 12:02 PM, "Russ Combs (rucombs)" <rucombs at ...3461...>
>>>> wrote:
>>>>
>>>>   The normalizer is blocking packets:
>>>>
>>>>              tcp::block: 272
>>>>
>>>> You can prevent that by commenting out the normalize_tcp line from your
>>>> conf.
>>>>
>>>> You can debug it a little further by enabling all preprocessor rules by
>>>> adding / uncommenting them in your conf or by adding this to your conf:
>>>>
>>>>     config autogenerate_preprocessor_decoder_rules
>>>>
>>>> Then you should see why the normalizer is blocking.  When I do that
>>>> with the pcap you sent I see a bad TCP reset.
>>>>
>>>>  ------------------------------
>>>> *From:* Cody Brugh [cbrugh at ...2499...]
>>>> *Sent:* Monday, May 12, 2014 11:52 AM
>>>> *To:* Russ Combs (rucombs)
>>>> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>>>> logging the drop
>>>>
>>>>   Attached is the shutdown stats.  Let me know what you find/suggest.
>>>>
>>>> Thanks,
>>>> Cody
>>>>
>>>>
>>>> On Mon, May 12, 2014 at 11:41 AM, Russ Combs (rucombs) <
>>>> rucombs at ...3461...> wrote:
>>>>
>>>>>
>>>>>  ------------------------------
>>>>> *From:* Cody Brugh [cbrugh at ...2499...]
>>>>> *Sent:* Monday, May 12, 2014 11:18 AM
>>>>>
>>>>> *To:* Russ Combs (rucombs)
>>>>> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>>>>> logging the drop
>>>>>
>>>>>    How do I gather those stats?  Are you looking for this?
>>>>> http://manual.snort.org/node20.html
>>>>>
>>>>>  * Not those.  Do a clean start, run your traffic, and then stop Snort
>>>>> or give it a usr1 signal and check the output.  Check console or syslog
>>>>> depending on how you run.
>>>>>
>>>>>  Thanks,
>>>>> Cody
>>>>>
>>>>>
>>>>> On Mon, May 12, 2014 at 11:05 AM, Russ Combs (rucombs) <
>>>>> rucombs at ...3461...> wrote:
>>>>>
>>>>>>  What are your shutdown / usr1 stats?  Do they show normalizer
>>>>>> blocks?
>>>>>>
>>>>>>  ------------------------------
>>>>>> *From:* Cody Brugh [cbrugh at ...2499...]
>>>>>> *Sent:* Monday, May 12, 2014 10:29 AM
>>>>>> *To:* Russ Combs (rucombs)
>>>>>> *Cc:* Joel Esler (jesler); snort-devel at lists.sourceforge.net
>>>>>>
>>>>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
>>>>>> logging the drop
>>>>>>
>>>>>>    Can you confirm you received my PCAP file?  I would really like
>>>>>> to get this issue resolved so I can work with their API.
>>>>>>
>>>>>> Let me know the status please.
>>>>>>
>>>>>>
>>>>>> On Fri, May 9, 2014 at 9:02 AM, Cody Brugh <cbrugh at ...2499...> wrote:
>>>>>>
>>>>>>>  Attached is the pcap of the stamps.com packet capture... can
>>>>>>> someone check and see what I should do?
>>>>>>>
>>>>>>>  Thanks,
>>>>>>> Cody
>>>>>>>
>>>>>>>
>>>>>>> On Fri, May 9, 2014 at 8:19 AM, Russ Combs (rucombs) <
>>>>>>> rucombs at ...3461...> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>  ------------------------------
>>>>>>>> *From:* Joel Esler (jesler)
>>>>>>>> *Sent:* Thursday, May 08, 2014 8:51 PM
>>>>>>>> *To:* Cody Brugh
>>>>>>>> *Cc:* snort-devel at lists.sourceforge.net
>>>>>>>> *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but
>>>>>>>> not logging the drop
>>>>>>>>
>>>>>>>>   Can you send your configuration file, and a packet capture of
>>>>>>>> the session?
>>>>>>>>
>>>>>>>>  * Can you also send your usr1 / shutdown stats?
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Joel Esler
>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>> On May 8, 2014, at 20:49, "Cody Brugh" <cbrugh at ...2499...> wrote:
>>>>>>>>
>>>>>>>>   Hi,
>>>>>>>>
>>>>>>>>  Our dev team is trying to work with stamps.com API however our
>>>>>>>> in-line snort box is blocking the return connection for unknown reasons.
>>>>>>>> When I turn off snort the connection flows perfectly.  Looking at snorby I
>>>>>>>> see no event of the connection being dropped.  I've included the command we
>>>>>>>> are running from a internal server that is behind the snort.  I also
>>>>>>>> included the tcpdump from this same server for the connection.
>>>>>>>>
>>>>>>>> wget https://216.52.211.91/label/health.aspx
>>>>>>>> --2014-05-08 20:37:33--  https://216.52.211.91/label/health.aspx
>>>>>>>> Connecting to 216.52.211.91:443... connected.
>>>>>>>>
>>>>>>>>
>>>>>>>> 20:37:33.443962 IP 10.2.2.1.52661 > 216.52.211.91.443: Flags [F.],
>>>>>>>> seq 3298140140, ack 2463587275, win 8208, options [nop,nop,TS val
>>>>>>>> 2824990869 ecr 3731400338], length 0
>>>>>>>> 20:37:33.444478 IP 216.52.211.91.443 > 10.2.2.1.52661: Flags [R.],
>>>>>>>> seq 1, ack 1, win 8208, length 0
>>>>>>>> 20:37:33.989510 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [S],
>>>>>>>> seq 3306929108, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val
>>>>>>>> 2824990923 ecr 0], length 0
>>>>>>>> 20:37:34.071548 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [S.],
>>>>>>>> seq 361712399, ack 3306929109, win 4140, options [mss 1380,nop,wscale
>>>>>>>> 3,nop,nop,TS val 3731482846 ecr 2824990923,sackOK,eol], length 0
>>>>>>>> 20:37:34.071610 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.],
>>>>>>>> ack 1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length
>>>>>>>> 0
>>>>>>>> 20:37:34.071750 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [P.],
>>>>>>>> ack 1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length
>>>>>>>> 139
>>>>>>>> 20:37:34.154367 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.],
>>>>>>>> ack 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932],
>>>>>>>> length 1368
>>>>>>>> 20:37:34.154462 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.],
>>>>>>>> ack 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932],
>>>>>>>> length 1368
>>>>>>>> 20:37:34.154490 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.],
>>>>>>>> ack 2737, win 7877, options [nop,nop,TS val 2824990940 ecr 3731482928],
>>>>>>>> length 0
>>>>>>>>
>>>>>>>> 20:37:44.153373 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [R.],
>>>>>>>> seq 4233:4288, ack 140, win 534, length 55
>>>>>>>>
>>>>>>>>  any help or suggestions would be great, I would like to disable
>>>>>>>> the rule that is blocking this connection but like I said I cannot see
>>>>>>>> which rule blocked it.
>>>>>>>>
>>>>>>>>  Thanks.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> Is your legacy SCM system holding you back? Join Perforce May 7 to
>>>>>>>> find out:
>>>>>>>> • 3 signs your SCM is hindering your productivity
>>>>>>>> • Requirements for releasing software faster
>>>>>>>> • Expert tips and advice for migrating your SCM now
>>>>>>>> http://p.sf.net/sfu/perforce
>>>>>>>>
>>>>>>>>  _______________________________________________
>>>>>>>> Snort-devel mailing list
>>>>>>>> Snort-devel at lists.sourceforge.net
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>>>>> Archive:
>>>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>>>>>>
>>>>>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140512/63af77d9/attachment.html>


More information about the Snort-devel mailing list