[Snort-users] Ongoing reputation issues

Dave Corsello snort-users at ...15598...
Thu May 22 09:38:23 EDT 2014


On 5/22/2014 6:54 AM, James Lay wrote:
> On Thu, 2014-05-22 at 01:30 -0400, Dave Corsello wrote:
>> On 5/21/2014 10:00 PM, James Lay wrote:
>>> On Wed, 2014-05-21 at 12:50 -0400, Dave Corsello wrote:
>>>> On 5/21/2014 12:09 PM, James Lay wrote:
>>>> > Dave,
>>>> >
>>>> > Can you provide the output of:
>>>> >
>>>> > sudo iptables -nvL
>>>> >
>>>> > Thanks.
>>>> >
>>>> > James
>>>>
>>>> Chain INPUT (policy ACCEPT 4803 packets, 530K bytes)
>>>>    pkts bytes target     prot opt in     out     source destination
>>>>
>>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>>>    pkts bytes target     prot opt in     out     source destination
>>>> 2514K 1935M NFQUEUE    all  --  *      *       0.0.0.0/0
>>>> 0.0.0.0/0           NFQUEUE num 1
>>>>
>>>> Chain OUTPUT (policy ACCEPT 527 packets, 109K bytes)
>>>>    pkts bytes target     prot opt in     out     source destination
>>>>
>>>>
>>>
>>> Ok...just sending this to you.  How are you trying to get the 
>>> reputation stuff to drop?  As it sits right now, with my tests, I'm 
>>> in the same boat as you...using either the forward chain or forward 
>>> mangle chain I see the same thing....says blocked, but I still see 
>>> the packets go through.  Here's a rule I've tested:
>>>
>>> drop tcp any any -> any $HTTP_PORTS (msg:"WEB-SERVER Wpad.dat 
>>> request"; flow:to_server,established; content:"wpad.dat"; nocase; 
>>> http_uri; metadata:policy security-ips drop, service http; 
>>> classtype:web-application-attack; sid:10000055; rev:1;)
>>>
>>> I'm sending a screenshot that should pretty much show 
>>> everything...is this what you're seeing?
>>>
>>> James
>>
>> Here's my reputation-related configuration:
>>
>> #############################
>> snort.conf
>> #############################
>>
>> # Reputation preprocessor. For more information see README.reputation
>> preprocessor reputation: \
>>    memcap 500, \
>>    priority blacklist, \
>>    white unblack, \
>>    nested_ip inner, \
>>    whitelist $WHITE_LIST_PATH/default.whitelist, \
>>    blacklist $BLACK_LIST_PATH/default.blacklist, \
>>    blacklist $BLACK_LIST_PATH/custom.blacklist
>>
>> #############################
>> snort.rules
>> #############################
>>
>> # -- Begin GID:136 Based Rules -- #
>>
>> drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; 
>> metadata: rule-type preproc ; classtype:bad-unknown; )
>> alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; 
>> metadata: rule-type preproc ; classtype:bad-unknown; )
>>
>> (Well, that's how the reputation-related rules in snort.rules look 
>> now, after I discovered that I had neglected to add "136:1" to my 
>> pulledpork dropsid.conf.  That rule was set to alert, not drop, and 
>> this was my problem.)
>>
>> Before I applied the above fix, I was seeing a successful handshake, 
>> with SYN, SYN ACK and ACK packets being exchanged between client and 
>> server, and multiple failed retries of the HTTP GET from the client 
>> to the server.  Apparently, strange things happen when the reputation 
>> preprocessor is enabled, but the drop rule is not.
>>
>> What we had in common was multiple retries.  But now I'm fixed--the 
>> SYN packet from client to reputation-blocked server is being dropped 
>> as expected with no traffic coming back the other way.
>>
>> The command line in your document on snort.org differs from what's in 
>> your screenshot.  In the document, you didn't use "--daq-mode inline" 
>> or "-k none".  I don't think you need the daq-mode inline.  I wonder 
>> if that's messing things up.  I don't know what -k none does.  The 
>> command line in your document is what I'm using, and it works for me.
>
> Ok good deal then :)  The daq-mode line and -Q really do the same 
> thing.  As for -k none, that's set to ignore checksums. Thanks Dave.
>
> James 

Thanks for checking into this with me, James.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140522/8be263c3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 925 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140522/8be263c3/attachment.png>


More information about the Snort-users mailing list