[Snort-users] Snort unable to drop packets in inline mode

Rishabh Shah rishabh420 at ...11827...
Sun Feb 22 10:17:11 EST 2015


Hi James,

Thanks for looking in to this. In your case, the HTTP request is getting
blocked by snort. But the same is not happening in my case. Any other
command output that could help you figure out this issue?

On Sun, Feb 22, 2015 at 7:55 PM, James Lay <jlay at ...13475...> wrote:

>  On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:
>
> Hi Snort-Experts,
>
>
>
>  I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is unable
> to drop packets, despite a drop alert being generated:
>
>  02/21-14:48:11.602240  [Drop] [**] [1:1112111:1] you are blocked [**]
> [Priority: 0] {TCP} 192.168.10.1:53013 -> 157.166.226.25:80
> <http://157.166.226.25/>
>
>
>
>  -> Following rule in snort.rules file is getting triggered for the above
> alert log.
>
>  drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev:
> 1;)
>
>
>
>
>
>  ===============================================================================
>
>
>  Action Stats:
>
>       Alerts:            7 (  1.118%)
>
>       Logged:            7 (  1.118%)
>
>       Passed:            0 (  0.000%)
>
>  Limits:
>
>        Match:            0
>
>        Queue:            0
>
>          Log:            0
>
>        Event:            0
>
>        Alert:            0
>
>  Verdicts:
>
>        Allow:          231 ( 36.435%)
>
>        Block:            0 (  0.000%)
>
>      Replace:            0 (  0.000%)
>
>    Whitelist:            0 (  0.000%)
>
>  *  Blacklist:          394 ( 62.145%)*
>
>       Ignore:            0 (  0.000%)
>
>        Retry:            0 (  0.000%)
>
>
> ===============================================================================
>
>
>
>
> Interestingly, Blacklist means getting
> dropped/blocked/not-allowed-through/whatever you want to call it.  Case in
> point below:
>
> start line:
> sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k none
>
> [ Number of patterns truncated to 20 bytes: 0 ]
> afpacket DAQ configured to inline.
> Acquiring network traffic from "eth1:eth2".
> Reload thread starting...
> Reload thread started, thread 0x7f383d236700 (3419)
>
>         --== Initialization Complete ==--
>
> snort rule:
> drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
> content:"index"; http_uri; sid:1000003; rev:1;)
>
> wget from remote box:
> [07:09:05 $] wget http://192.168.1.73/index.html
> --2015-02-22 07:09:44--  http://192.168.1.73/index.html
> Connecting to 192.168.1.73:80... connected.
> HTTP request sent, awaiting response... Read error (Connection reset by
> peer) in headers.
> Retrying.
>
> --2015-02-22 07:09:45--  (try: 2)  http://192.168.1.73/index.html
> Connecting to 192.168.1.73:80... connected.
> HTTP request sent, awaiting response... Read error (Connection reset by
> peer) in headers.
> Retrying.
>
> --2015-02-22 07:09:47--  (try: 3)  http://192.168.1.73/index.html
> Connecting to 192.168.1.73:80... connected.
> HTTP request sent, awaiting response... Read error (Connection reset by
> peer) in headers.
> Retrying.
>
> tshark on ips box:
>  31 2015-02-22 07:09:46.143340  192.168.1.2 -> 192.168.1.73 TCP 74
> 43815→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201101
> TSecr=0 WS=128
>  32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2  TCP 74
> 80→43815 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1
> TSval=54730 TSecr=1201101 WS=16
>  33 2015-02-22 07:09:46.144245  192.168.1.2 -> 192.168.1.73 TCP 66
> 43815→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101 TSecr=54730
>  34 2015-02-22 07:09:46.145281  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
> /index.html HTTP/1.1
>  35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2  TCP 66
> 80→43815 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731 TSecr=1201101
>  36 2015-02-22 07:09:46.145893  192.168.1.2 -> 192.168.1.73 TCP 54
> 43815→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
>  37 2015-02-22 07:09:49.147339  192.168.1.2 -> 192.168.1.73 TCP 74
> 43817→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201852
> TSecr=0 WS=128
>  38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2  TCP 74
> 80→43817 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1
> TSval=55481 TSecr=1201852 WS=16
>  39 2015-02-22 07:09:49.148246  192.168.1.2 -> 192.168.1.73 TCP 66
> 43817→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852 TSecr=55481
>  40 2015-02-22 07:09:49.149275  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
> /index.html HTTP/1.1
>  41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2  TCP 66
> 80→43817 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482 TSecr=1201852
>  42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2  HTTP 557
> HTTP/1.1 200 OK  (text/html)
>  43 2015-02-22 07:09:49.151366  192.168.1.2 -> 192.168.1.73 TCP 54
> 43817→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
>  46 2015-02-22 07:09:53.153356  192.168.1.2 -> 192.168.1.73 TCP 74
> 43818→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1202853
> TSecr=0 WS=128
>  47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2  TCP 74
> 80→43818 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1
> TSval=56483 TSecr=1202853 WS=16
>  48 2015-02-22 07:09:53.154244  192.168.1.2 -> 192.168.1.73 TCP 66
> 43818→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853 TSecr=56483
>  49 2015-02-22 07:09:53.155285  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
> /index.html HTTP/1.1
>  50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2  TCP 66
> 80→43818 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483 TSecr=1202854
>  51 2015-02-22 07:09:53.155921  192.168.1.2 -> 192.168.1.73 TCP 54
> 43818→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
>
> snort result using console:
> 02/22-07:09:46.145218  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
> [**] [Priority: 0] {TCP} 192.168.1.2:43815 -> 192.168.1.73:80
> 02/22-07:09:49.149219  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
> [**] [Priority: 0] {TCP} 192.168.1.2:43817 -> 192.168.1.73:80
> 02/22-07:09:53.155221  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
> [**] [Priority: 0] {TCP} 192.168.1.2:43818 -> 192.168.1.73:80
>
> and lastly, snort stats after kill:
>
> ===============================================================================
> Packet I/O Totals:
>    Received:           57
>    Analyzed:           57 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:           12                  <----------- injected RST I am
> guessing
>
> ===============================================================================
>
>
> ===============================================================================
> Action Stats:
>      Alerts:            6 ( 10.526%)
>      Logged:            6 ( 10.526%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:           50 ( 87.719%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            7 ( 12.281%)
>      Ignore:            0 (  0.000%)
>       Retry:            0 (  0.000%)
>
> And there ya go.
>
> James
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150222/3f99d295/attachment.html>


More information about the Snort-users mailing list