[Snort-users] Ongoing reputation issues

James Lay jlay at ...13475...
Wed May 21 12:09:59 EDT 2014


On 2014-05-21 09:23, Dave Corsello wrote:
> I was recently able to clear up problems with the reputation
> preprocessor on my home system by adding a couple of parameters to my
> snort start-up command.  I applied that change at a client location, 
> but
> the reputation problems continue at the client.  The problem is that 
> in
> an outbound HTTP request to a reputation-blocked IP address, the 
> request
> fails, but pcaps show that the TCP handshake succeeds.  Also, snort
> alerts that the SYN and SYN ACK packets are blocked, even though they
> are not.  So snort is making a decision that is not followed by the 
> NFQ
> DAQ and/or iptables for some reason.
>
> Following are the contents of the main configuration files;  they are
> identical to the config files on my home office system except for the 
> IP
> addresses.  My distro is Ubuntu server 10.04.3 LTS, my snort version 
> is
> 2.9.6.1 and my daq version is 2.0.2.  Snort was configured with
> --enable-sourcefire and --enable-reload.  DAQ was configured with
> defaults.  Can anyone spot a problem that would allow the TCP 
> handshake
> to succeed with a reputation-blocked IP address?
>
> #########################
> /etc/network/interfaces
> #########################
>
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> # The management network interface
> auto eth2
> iface eth2 inet static
>          address a.a.a.a
>          netmask 255.255.255.0
>          network a.a.a.0
>          broadcast a.a.a..255
>          gateway a.a.a.1
>        # dns-* options are implemented by the resolvconf package, if
> installed
>          dns-nameservers a.a.a.b
>          dns-search mydomain.com
>
> # The bridge for Snort IPS
> auto br0
> iface br0 inet manual
>          bridge-ports eth0 eth1
>          pre-up iptables-restore < /etc/iptables.rules
> #       pre-up iptables-restore < /etc/iptables-noqueue.rules
>
> #########################
> /etc/resolv.conf
> #########################
>
> nameserver a.a.a.b
> nameserver a.a.a.c
> domain mydomain.com
> search mydomain.com
>
> #########################
> /etc/iptables.rules
> #########################
>
> # Generated by iptables-save v1.4.4 on Wed Apr  6 00:59:09 2011
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A FORWARD -j NFQUEUE --queue-num 1
> COMMIT
> # Completed on Wed Apr  6 00:59:09 2011
>
> #########################
> /etc/init/snort.conf
> #########################
>
> # Snort Service
>
> description     "Snort IPS"
> author          "Dave Corsello"
>
> start on (net-device-up
>            and local-filesystems
>            and runlevel [2345])
> stop on runlevel [016]
>
> respawn
>
> exec /usr/local/bin/snort -Q --daq nfq --daq-var device=br0 --daq-var
> queue=1 -c /etc/snort/snort.conf -D
>

Dave,

Can you provide the output of:

sudo iptables -nvL

Thanks.

James





More information about the Snort-users mailing list