[Snort-users] Unexpected results with reputation preprocessor - solved

James Lay jlay at ...13475...
Tue May 13 08:28:15 EDT 2014

On Tue, 2014-05-13 at 07:50 -0400, Dave Corsello wrote:

> About 2 months ago, I reported strange results with the reputation 
> preprocessor.  Often, when an inbound packet was blocked, an alert was 
> also generated for an outbound packet with the addresses from the first 
> packet reversed.  It seemed impossible for there to be an outbound 
> response if the inbound traffic was blocked.  Testing confirmed that 
> SMTP traffic from a known blocked address truly was dropped, adding to 
> my confusion.  Joel suggested that the inbound connection, although 
> reported as dropped, was not actually dropped, and that the connection 
> failed because the outbound response was dropped.  This turned out to be 
> the case.  PCAPs showed that during the TCP handshake on an inbound SMTP 
> connection, the inbound SYN packet was getting through Snort.  After a 
> lot of debugging and help from Hui Cau, I found that the problem was due 
> to missing parameters in my snort startup command.  I was trying to 
> start snort in inline mode with the following command:
> snort --daq nfq -c /etc/snort/snort.conf -Q -D
> This seemed to be working fine for quite awhile.  I was using the 
> default queue number 0, and bad traffic across the network bridge was 
> being dropped. Then I enabled reputation blocking, and started seeing 
> problems.  I ended up checking out James Lay's document, "Changing from 
> IDS to IPS with NFQueue" at www.snort.org/docs, which showed the command 
> line:
> snort -Q --daq nfq --daq-var device=br0 --daq-var queue=1 -c 
> /etc/snort/snort.conf
> So, I changed the queue number in my iptables config to 1 (not sure if 
> this was necessary), changed my snort command line to the above, adding 
> daq vars to specify the device and queue number, and SYN packets from 
> reputation-blocked addresses stopped making it through snort.  Problem 
> solved.
> Thanks to Joel and Hui for corresponding with me about this, and to 
> James for his document.
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Glad the doc helped.  Hey Joel it would be great to see a....I dunno
real world use case blog post or faq..complete with iptables and snort
command lines for using snort as an IPS.  Off the top of my head I can
think of:

A dedicated IPS device with three nics (one for management, two for
inbound and outbound) where daq is used with afpacket eth0:eth1
A linuxbox acting as a router and firewall with two nics, one nic is
internal IP, one nic is external IP 
A linuxbox transparent bridge acting as a firewall with two nics, eth0
and eth1 are bridged to br0 
And lastly, a linuxbox where snort will act as HIPS with one nic 

Thanks Joel!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140513/aa16d719/attachment.html>

More information about the Snort-users mailing list