[Snort-users] Snort unable to drop packets in inline mode

James Lay jlay at ...13475...
Sun Feb 22 10:59:46 EST 2015


On Sun, 2015-02-22 at 20:47 +0530, Rishabh Shah wrote:
> Hi James,
> 
> 
> 
> Thanks for looking in to this. In your case, the HTTP request is
> getting blocked by snort. But the same is not happening in my case.
> Any other command output that could help you figure out this issue?
> 
> 
> On Sun, Feb 22, 2015 at 7:55 PM, James Lay <jlay at ...13475...>
> wrote:
> 
>         On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote: 
>         
>         > Hi Snort-Experts,
>         > 
>         > 
>         > I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit).
>         > Snort is unable to drop packets, despite a drop alert being
>         > generated:
>         > 02/21-14:48:11.602240  [Drop] [**] [1:1112111:1] you are
>         > blocked [**] [Priority: 0]
>         > {TCP} 192.168.10.1:53013 -> 157.166.226.25:80
>         > 
>         > 
>         > -> Following rule in snort.rules file is getting triggered
>         > for the above alert log.
>         > drop tcp any any -> any 80 (msg: "you are blocked"; sid:
>         > 1112111; rev: 1;)
>         > 
>         > 
>         
>         
>         
>         > 
>         > ===============================================================================
>         > Action Stats:
>         >      Alerts:            7 (  1.118%)
>         >      Logged:            7 (  1.118%)
>         >      Passed:            0 (  0.000%)
>         > Limits:
>         >       Match:            0
>         >       Queue:            0
>         >         Log:            0
>         >       Event:            0
>         >       Alert:            0
>         > Verdicts:
>         >       Allow:          231 ( 36.435%)
>         >       Block:            0 (  0.000%)
>         >     Replace:            0 (  0.000%)
>         >   Whitelist:            0 (  0.000%)
>         >   Blacklist:          394 ( 62.145%)
>         >      Ignore:            0 (  0.000%)
>         >       Retry:            0 (  0.000%)
>         > ===============================================================================
>         > 
>         
>         
>         Interestingly, Blacklist means getting
>         dropped/blocked/not-allowed-through/whatever you want to call
>         it.  Case in point below:
>         
>         start line:
>         sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A
>         console -k none
>         
>         [ Number of patterns truncated to 20 bytes: 0 ]
>         afpacket DAQ configured to inline.
>         Acquiring network traffic from "eth1:eth2".
>         Reload thread starting...
>         Reload thread started, thread 0x7f383d236700 (3419)
>         
>                 --== Initialization Complete ==--
>         
>         snort rule:
>         drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index
>         Get"; content:"index"; http_uri; sid:1000003; rev:1;)
>         
>         wget from remote box:
>         [07:09:05 $] wget http://192.168.1.73/index.html
>         --2015-02-22 07:09:44--  http://192.168.1.73/index.html
>         Connecting to 192.168.1.73:80... connected.
>         HTTP request sent, awaiting response... Read error (Connection
>         reset by peer) in headers.
>         Retrying.
>         
>         --2015-02-22 07:09:45--  (try: 2)
>         http://192.168.1.73/index.html
>         Connecting to 192.168.1.73:80... connected.
>         HTTP request sent, awaiting response... Read error (Connection
>         reset by peer) in headers.
>         Retrying.
>         
>         --2015-02-22 07:09:47--  (try: 3)
>         http://192.168.1.73/index.html
>         Connecting to 192.168.1.73:80... connected.
>         HTTP request sent, awaiting response... Read error (Connection
>         reset by peer) in headers.
>         Retrying.
>         
>         tshark on ips box:
>         31 2015-02-22 07:09:46.143340  192.168.1.2 -> 192.168.1.73 TCP
>         74 43815→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
>         TSval=1201101 TSecr=0 WS=128
>         32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2  TCP
>         74 80→43815 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460
>         SACK_PERM=1 TSval=54730 TSecr=1201101 WS=16
>         33 2015-02-22 07:09:46.144245  192.168.1.2 -> 192.168.1.73 TCP
>         66 43815→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101
>         TSecr=54730
>         34 2015-02-22 07:09:46.145281  192.168.1.2 -> 192.168.1.73
>         HTTP 186 GET /index.html HTTP/1.1 
>         35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2  TCP
>         66 80→43815 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731
>         TSecr=1201101
>         36 2015-02-22 07:09:46.145893  192.168.1.2 -> 192.168.1.73 TCP
>         54 43815→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
>         37 2015-02-22 07:09:49.147339  192.168.1.2 -> 192.168.1.73 TCP
>         74 43817→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
>         TSval=1201852 TSecr=0 WS=128
>         38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2  TCP
>         74 80→43817 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460
>         SACK_PERM=1 TSval=55481 TSecr=1201852 WS=16
>         39 2015-02-22 07:09:49.148246  192.168.1.2 -> 192.168.1.73 TCP
>         66 43817→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852
>         TSecr=55481
>         40 2015-02-22 07:09:49.149275  192.168.1.2 -> 192.168.1.73
>         HTTP 186 GET /index.html HTTP/1.1 
>         41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2  TCP
>         66 80→43817 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482
>         TSecr=1201852
>         42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2
>         HTTP 557 HTTP/1.1 200 OK  (text/html)
>         43 2015-02-22 07:09:49.151366  192.168.1.2 -> 192.168.1.73 TCP
>         54 43817→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
>         46 2015-02-22 07:09:53.153356  192.168.1.2 -> 192.168.1.73 TCP
>         74 43818→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
>         TSval=1202853 TSecr=0 WS=128
>         47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2  TCP
>         74 80→43818 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460
>         SACK_PERM=1 TSval=56483 TSecr=1202853 WS=16
>         48 2015-02-22 07:09:53.154244  192.168.1.2 -> 192.168.1.73 TCP
>         66 43818→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853
>         TSecr=56483
>         49 2015-02-22 07:09:53.155285  192.168.1.2 -> 192.168.1.73
>         HTTP 186 GET /index.html HTTP/1.1 
>         50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2  TCP
>         66 80→43818 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483
>         TSecr=1202854
>         51 2015-02-22 07:09:53.155921  192.168.1.2 -> 192.168.1.73 TCP
>         54 43818→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
>         
>         snort result using console:
>         02/22-07:09:46.145218  [Drop] [**] [1:1000003:1] HTTP Traffic
>         Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43815 ->
>         192.168.1.73:80
>         02/22-07:09:49.149219  [Drop] [**] [1:1000003:1] HTTP Traffic
>         Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43817 ->
>         192.168.1.73:80
>         02/22-07:09:53.155221  [Drop] [**] [1:1000003:1] HTTP Traffic
>         Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43818 ->
>         192.168.1.73:80
>         
>         and lastly, snort stats after kill:
>         ===============================================================================
>         Packet I/O Totals:
>            Received:           57
>            Analyzed:           57 (100.000%)
>             Dropped:            0 (  0.000%)
>            Filtered:            0 (  0.000%)
>         Outstanding:            0 (  0.000%)
>            Injected:           12                  <-----------
>         injected RST I am guessing
>         ===============================================================================
>         
>         ===============================================================================
>         Action Stats:
>              Alerts:            6 ( 10.526%)
>              Logged:            6 ( 10.526%)
>              Passed:            0 (  0.000%)
>         Limits:
>               Match:            0
>               Queue:            0
>                 Log:            0
>               Event:            0
>               Alert:            0
>         Verdicts:
>               Allow:           50 ( 87.719%)
>               Block:            0 (  0.000%)
>             Replace:            0 (  0.000%)
>           Whitelist:            0 (  0.000%)
>           Blacklist:            7 ( 12.281%)
>              Ignore:            0 (  0.000%)
>               Retry:            0 (  0.000%)
>         
>         And there ya go.
>         
>         James
>         
>         
>         ------------------------------------------------------------------------------
>         Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
>         Server
>         from Actuate! Instantly Supercharge Your Business Reports and
>         Dashboards
>         with Interactivity, Sharing, Native Excel Exports, App
>         Integration & more
>         Get technology previously reserved for billion-dollar
>         corporations, FREE
>         http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>         _______________________________________________
>         Snort-users mailing list
>         Snort-users at lists.sourceforge.net
>         Go to this URL to change user options or unsubscribe:
>         https://lists.sourceforge.net/lists/listinfo/snort-users
>         Snort-users list archive:
>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>         
>         Please visit http://blog.snort.org to stay current on all the
>         latest Snort news!
> 
> 
> 
> 
> 
> 
> 
> -- 
> 
> Regards,
> 
> Rishabh Shah.
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


Rishabh,

How are you confirming that this isn't getting
dropped/blocked/blacklisted?  Do you have a capture, or can you capture
on the IPS to see what the traffic is looking like?

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150222/d063cf59/attachment.html>


More information about the Snort-users mailing list