[Snort-users] Ongoing reputation issues

Dave Corsello snort-users at ...15598...
Wed May 21 11:23:05 EDT 2014


I was recently able to clear up problems with the reputation 
preprocessor on my home system by adding a couple of parameters to my 
snort start-up command.  I applied that change at a client location, but 
the reputation problems continue at the client.  The problem is that in 
an outbound HTTP request to a reputation-blocked IP address, the request 
fails, but pcaps show that the TCP handshake succeeds.  Also, snort 
alerts that the SYN and SYN ACK packets are blocked, even though they 
are not.  So snort is making a decision that is not followed by the NFQ 
DAQ and/or iptables for some reason.

Following are the contents of the main configuration files;  they are 
identical to the config files on my home office system except for the IP 
addresses.  My distro is Ubuntu server 10.04.3 LTS, my snort version is 
2.9.6.1 and my daq version is 2.0.2.  Snort was configured with 
--enable-sourcefire and --enable-reload.  DAQ was configured with 
defaults.  Can anyone spot a problem that would allow the TCP handshake 
to succeed with a reputation-blocked IP address?

#########################
/etc/network/interfaces
#########################

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
# The management network interface
auto eth2
iface eth2 inet static
         address a.a.a.a
         netmask 255.255.255.0
         network a.a.a.0
         broadcast a.a.a..255
         gateway a.a.a.1
       # dns-* options are implemented by the resolvconf package, if 
installed
         dns-nameservers a.a.a.b
         dns-search mydomain.com

# The bridge for Snort IPS
auto br0
iface br0 inet manual
         bridge-ports eth0 eth1
         pre-up iptables-restore < /etc/iptables.rules
#       pre-up iptables-restore < /etc/iptables-noqueue.rules

#########################
/etc/resolv.conf
#########################

nameserver a.a.a.b
nameserver a.a.a.c
domain mydomain.com
search mydomain.com

#########################
/etc/iptables.rules
#########################

# Generated by iptables-save v1.4.4 on Wed Apr  6 00:59:09 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j NFQUEUE --queue-num 1
COMMIT
# Completed on Wed Apr  6 00:59:09 2011

#########################
/etc/init/snort.conf
#########################

# Snort Service

description     "Snort IPS"
author          "Dave Corsello"

start on (net-device-up
           and local-filesystems
           and runlevel [2345])
stop on runlevel [016]

respawn

exec /usr/local/bin/snort -Q --daq nfq --daq-var device=br0 --daq-var 
queue=1 -c /etc/snort/snort.conf -D





More information about the Snort-users mailing list