[Snort-users] Snort unable to drop packets in inline mode

Rishabh Shah rishabh420 at ...11827...
Sun Feb 22 12:32:48 EST 2015


Hi James,

Yes, I do have a capture on my Windows 7 PC which is sitting behind
Snort(linux).

-> Snort command used:
snort -c /etc/snort/snort.conf -Q -i eth1:eth0 --daq afpacket -k none -A
fast


-> Traffic from Windows 7 pc:

%wget cnn.com
--2015-02-22 22:54:36--  http://cnn.com/
Resolving cnn.com (cnn.com)... 157.166.226.26, 157.166.226.25
Connecting to cnn.com (cnn.com)|157.166.226.26|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.cnn.com/ [following]
--2015-02-22 22:54:37--  http://www.cnn.com/
Resolving www.cnn.com (www.cnn.com)... 103.245.222.185
Connecting to www.cnn.com (www.cnn.com)|103.245.222.185|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://edition.cnn.com/ [following]
--2015-02-22 22:54:38--  http://edition.cnn.com/
Resolving edition.cnn.com (edition.cnn.com)... 103.245.222.185
Reusing existing connection to www.cnn.com:80.
*HTTP request sent, awaiting response... 200 OK*
Length: 214393 (209K) [text/html]
Saving to: ‘index.html.6’

100%[================================================================================>]
214,393      321KB/s   in 0.7s

2015-02-22 22:54:39 (321 KB/s) - ‘index.html.6’ saved [214393/214393]


Alert on Snort:
*02/22-22:54:36.628789  [Drop] [**] [1:1112111:1] you are blocked [**]
[Priority: 0] {TCP} 192.168.10.1:54980 <http://192.168.10.1:54980> ->
103.245.222.185:80 <http://103.245.222.185:80>*



On Sun, Feb 22, 2015 at 9:29 PM, James Lay <jlay at ...13475...> wrote:

>  On Sun, 2015-02-22 at 20:47 +0530, Rishabh Shah wrote:
>
> Hi James,
>
>
>
>  Thanks for looking in to this. In your case, the HTTP request is getting
> blocked by snort. But the same is not happening in my case. Any other
> command output that could help you figure out this issue?
>
>
>  On Sun, Feb 22, 2015 at 7:55 PM, James Lay <jlay at ...13475...>
> wrote:
>
>  On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:
>
> Hi Snort-Experts,
>
>
> I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is unable
> to drop packets, despite a drop alert being generated:
> 02/21-14:48:11.602240  [Drop] [**] [1:1112111:1] you are blocked [**]
> [Priority: 0] {TCP} 192.168.10.1:53013 -> 157.166.226.25:80
> <http://157.166.226.25/>
>
>
> -> Following rule in snort.rules file is getting triggered for the above
> alert log.
> drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev: 1;)
>
>
>
>
>
> ===============================================================================
> Action Stats:
>      Alerts:            7 (  1.118%)
>      Logged:            7 (  1.118%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:          231 ( 36.435%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
> *  Blacklist:          394 ( 62.145%)*
>      Ignore:            0 (  0.000%)
>       Retry:            0 (  0.000%)
>
> ===============================================================================
>
>
> Interestingly, Blacklist means getting
> dropped/blocked/not-allowed-through/whatever you want to call it.  Case in
> point below:
>
> start line:
> sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k none
>
> [ Number of patterns truncated to 20 bytes: 0 ]
> afpacket DAQ configured to inline.
> Acquiring network traffic from "eth1:eth2".
> Reload thread starting...
> Reload thread started, thread 0x7f383d236700 (3419)
>
>         --== Initialization Complete ==--
>
> snort rule:
> drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
> content:"index"; http_uri; sid:1000003; rev:1;)
>
> wget from remote box:
> [07:09:05 $] wget http://192.168.1.73/index.html
> --2015-02-22 07:09:44--  http://192.168.1.73/index.html
> Connecting to 192.168.1.73:80... connected.
> HTTP request sent, awaiting response... Read error (Connection reset by
> peer) in headers.
> Retrying.
>
> --2015-02-22 07:09:45--  (try: 2)  http://192.168.1.73/index.html
> Connecting to 192.168.1.73:80... connected.
> HTTP request sent, awaiting response... Read error (Connection reset by
> peer) in headers.
> Retrying.
>
> --2015-02-22 07:09:47--  (try: 3)  http://192.168.1.73/index.html
> Connecting to 192.168.1.73:80... connected.
> HTTP request sent, awaiting response... Read error (Connection reset by
> peer) in headers.
> Retrying.
>
> tshark on ips box:
> 31 2015-02-22 07:09:46.143340  192.168.1.2 -> 192.168.1.73 TCP 74 43815→80
> [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201101 TSecr=0
> WS=128
> 32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2  TCP 74 80→43815
> [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=54730
> TSecr=1201101 WS=16
> 33 2015-02-22 07:09:46.144245  192.168.1.2 -> 192.168.1.73 TCP 66 43815→80
> [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101 TSecr=54730
> 34 2015-02-22 07:09:46.145281  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
> /index.html HTTP/1.1
> 35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2  TCP 66 80→43815
> [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731 TSecr=1201101
> 36 2015-02-22 07:09:46.145893  192.168.1.2 -> 192.168.1.73 TCP 54 43815→80
> [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
> 37 2015-02-22 07:09:49.147339  192.168.1.2 -> 192.168.1.73 TCP 74 43817→80
> [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201852 TSecr=0
> WS=128
> 38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2  TCP 74 80→43817
> [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=55481
> TSecr=1201852 WS=16
> 39 2015-02-22 07:09:49.148246  192.168.1.2 -> 192.168.1.73 TCP 66 43817→80
> [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852 TSecr=55481
> 40 2015-02-22 07:09:49.149275  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
> /index.html HTTP/1.1
> 41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2  TCP 66 80→43817
> [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482 TSecr=1201852
> 42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2  HTTP 557
> HTTP/1.1 200 OK  (text/html)
> 43 2015-02-22 07:09:49.151366  192.168.1.2 -> 192.168.1.73 TCP 54 43817→80
> [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
> 46 2015-02-22 07:09:53.153356  192.168.1.2 -> 192.168.1.73 TCP 74 43818→80
> [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1202853 TSecr=0
> WS=128
> 47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2  TCP 74 80→43818
> [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=56483
> TSecr=1202853 WS=16
> 48 2015-02-22 07:09:53.154244  192.168.1.2 -> 192.168.1.73 TCP 66 43818→80
> [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853 TSecr=56483
> 49 2015-02-22 07:09:53.155285  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
> /index.html HTTP/1.1
> 50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2  TCP 66 80→43818
> [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483 TSecr=1202854
> 51 2015-02-22 07:09:53.155921  192.168.1.2 -> 192.168.1.73 TCP 54 43818→80
> [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
>
> snort result using console:
> 02/22-07:09:46.145218  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
> [**] [Priority: 0] {TCP} 192.168.1.2:43815 -> 192.168.1.73:80
> 02/22-07:09:49.149219  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
> [**] [Priority: 0] {TCP} 192.168.1.2:43817 -> 192.168.1.73:80
> 02/22-07:09:53.155221  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
> [**] [Priority: 0] {TCP} 192.168.1.2:43818 -> 192.168.1.73:80
>
> and lastly, snort stats after kill:
>
> ===============================================================================
> Packet I/O Totals:
>    Received:           57
>    Analyzed:           57 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:           12                  <----------- injected RST I am
> guessing
>
> ===============================================================================
>
>
> ===============================================================================
> Action Stats:
>      Alerts:            6 ( 10.526%)
>      Logged:            6 ( 10.526%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:           50 ( 87.719%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            7 ( 12.281%)
>      Ignore:            0 (  0.000%)
>       Retry:            0 (  0.000%)
>
> And there ya go.
>
> James
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
>  --
>
>  Regards,
>
>  Rishabh Shah.
>
>  ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREEhttp://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing listSnort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> Rishabh,
>
> How are you confirming that this isn't getting
> dropped/blocked/blacklisted?  Do you have a capture, or can you capture on
> the IPS to see what the traffic is looking like?
>
> James
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150222/e59a73bc/attachment.html>


More information about the Snort-users mailing list