[Snort-users] Snort unable to drop packets in inline mode

Rishabh Shah rishabh420 at ...11827...
Tue Feb 24 08:57:01 EST 2015


Hi Lewis/James,

I have finally got it working after making some changes in the interface
configuration.

Non working scenario:

PC(IP-1)----------(IP-2)Ubuntu(Snort)(IP-3)-----------(IP-4)Linux(gw)--------------Internet
In this case, I had assigned IP addresses to both the interface of Ubuntu,
such that IP-1 & IP-2 are in the same network. It seems snort didn't make
the bridge correctly.
@Lewis: FYI, --daq dump showed the TCP RST. But when I did a packet
capture, it didn't send it to either of the interfaces which seemed very
strange to me(a bug?).


Working Scenario:

PC(IP-1)----------Ubuntu(Snort)-----------(IP-2)Linux(gw)--------------Internet
I issued: ifconfig eth1 0.0.0.0 and ifconfig eth2 0.0.0.0. Also, I put
Linux gw(IP-2) and PC(IP-1) in the same network.

Thanks for all your time and help!

On Mon, Feb 23, 2015 at 5:46 PM, Al Lewis (allewi) <allewi at ...589...> wrote:

>  Also.. run snort with the “--daq dump” switch. That should dump a pcap
> named “inline-out.pcap” of the traffic that was seen/processed. You can
> look at that pcap and see if the traffic is being dropped there or not.
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
>
>
> *From:* James Lay [mailto:jlay at ...13475...]
> *Sent:* Sunday, February 22, 2015 2:13 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Snort unable to drop packets in inline mode
>
>
>
> Ok....imma top post just because.  Here's what I have on my end that's
> working:
>
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.7.0 GRE (Build 149)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team
>            Copyright (C) 2014 Cisco and/or its affiliates. All rights
> reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.8
>
> snort --daq-list
> Available DAQ modules:
> pcap(v3): readback live multi unpriv
> nfq(v7): live inline multi
> ipfw(v3): live inline multi unpriv
> dump(v2): readback live inline multi unpriv
> afpacket(v5): live inline multi unpriv
>
> config line (pfring lines won't be relevant for you I am guessing):
> ./configure --enable-non-ether-decoders --enable-sourcefire
> --enable-shared-rep --enable-control-socket
> --with-libpcap-includes=/opt/pfring/include
> --with-libpcap-libraries=/opt/pfring/lib
> --with-libpfring-includes=/opt/pfring/include
> --with-libpfring-libraries=/opt/pfring/lib --enable-open-appid
>
> I can't imagine that this would make a difference, but per the README in
> the daq src:
>
> AFPACKET Module
> ===============
>
> afpacket functions similar to the pcap DAQ but with better performance:
>
>     ./snort --daq afpacket -i <device>
>             [--daq-var buffer_size_mb=<#MB>]
>             [--daq-var debug]
>
> If you want to run afpacket in inline mode, you must craft the device
> string as
> one or more interface pairs, where each member of a pair is separated by a
> single colon and each pair is separated by a double colon like this:
>
> I do see in your start that you specify interfaces first, then afpacket
> second, so reverse that to:
>
> sudo snort -c /etc/snort/snort.conf -Q --daq afpacket -i eth1:eth0 -k none
> -A fast
>
> I would also try --daq-var debug if you still get things allowed after
> trying the above.  This test box is Ubuntu 14.04.2 LTS, so we are pretty
> much running the same thing.  Lastly, although seeing the wget session
> helps, try and get an actual packet capture...it will help.
>
> James
>
> On Sun, 2015-02-22 at 23:02 +0530, Rishabh Shah wrote:
>
> Hi James,
>
>
>
>  Yes, I do have a capture on my Windows 7 PC which is sitting behind
> Snort(linux).
>
>
>
>  -> Snort command used:
>
>  snort -c /etc/snort/snort.conf -Q -i eth1:eth0 --daq afpacket -k none -A
> fast
>
>
>
>
>
>  -> Traffic from Windows 7 pc:
>
>
>
>  %wget cnn.com
>
>  --2015-02-22 22:54:36--  http://cnn.com/
>
>  Resolving cnn.com (cnn.com)... 157.166.226.26, 157.166.226.25
>
>  Connecting to cnn.com (cnn.com)|157.166.226.26|:80... connected.
>
>  HTTP request sent, awaiting response... 301 Moved Permanently
>
>  Location: http://www.cnn.com/ [following]
>
>  --2015-02-22 22:54:37--  http://www.cnn.com/
>
>  Resolving www.cnn.com (www.cnn.com)... 103.245.222.185
>
>  Connecting to www.cnn.com (www.cnn.com)|103.245.222.185|:80...
> connected.
>
>  HTTP request sent, awaiting response... 302 Found
>
>  Location: http://edition.cnn.com/ [following]
>
>  --2015-02-22 22:54:38--  http://edition.cnn.com/
>
>  Resolving edition.cnn.com (edition.cnn.com)... 103.245.222.185
>
>  Reusing existing connection to www.cnn.com:80.
>
>  *HTTP request sent, awaiting response... 200 OK*
>
>  Length: 214393 (209K) [text/html]
>
>  Saving to: ‘index.html.6’
>
>
>
>  100%[================================================================================>]
> 214,393      321KB/s   in 0.7s
>
>
>
>  2015-02-22 22:54:39 (321 KB/s) - ‘index.html.6’ saved [214393/214393]
>
>
>
>
>
>  Alert on Snort:
>
>  *02/22-22:54:36.628789  [Drop] [**] [1:1112111:1] you are blocked [**]
> [Priority: 0] {TCP} 192.168.10.1:54980 <http://192.168.10.1:54980> ->
> 103.245.222.185:80 <http://103.245.222.185:80>*
>
>
>
>
>
>
>
>  On Sun, Feb 22, 2015 at 9:29 PM, James Lay <jlay at ...13475...>
> wrote:
>
>  On Sun, 2015-02-22 at 20:47 +0530, Rishabh Shah wrote:
>
>  Hi James,
>
>
> Thanks for looking in to this. In your case, the HTTP request is getting
> blocked by snort. But the same is not happening in my case. Any other
> command output that could help you figure out this issue?
>
> On Sun, Feb 22, 2015 at 7:55 PM, James Lay <jlay at ...13475...>
> wrote:
>
> On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:
>
>  Hi Snort-Experts,
>
>
> I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is unable
> to drop packets, despite a drop alert being generated:
> 02/21-14:48:11.602240  [Drop] [**] [1:1112111:1] you are blocked [**]
> [Priority: 0] {TCP} 192.168.10.1:53013 -> 157.166.226.25:80
> <http://157.166.226.25/>
>
>
> -> Following rule in snort.rules file is getting triggered for the above
> alert log.
> drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev: 1;)
>
>
>
>
>
> ===============================================================================
> Action Stats:
>      Alerts:            7 (  1.118%)
>      Logged:            7 (  1.118%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:          231 ( 36.435%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
> *  Blacklist:          394 ( 62.145%)*
>      Ignore:            0 (  0.000%)
>       Retry:            0 (  0.000%)
>
> ===============================================================================
>
>
> Interestingly, Blacklist means getting
> dropped/blocked/not-allowed-through/whatever you want to call it.  Case in
> point below:
>
> start line:
> sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k none
>
> [ Number of patterns truncated to 20 bytes: 0 ]
> afpacket DAQ configured to inline.
> Acquiring network traffic from "eth1:eth2".
> Reload thread starting...
> Reload thread started, thread 0x7f383d236700 (3419)
>
>         --== Initialization Complete ==--
>
> snort rule:
> drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
> content:"index"; http_uri; sid:1000003; rev:1;)
>
> wget from remote box:
> [07:09:05 $] wget http://192.168.1.73/index.html
> --2015-02-22 07:09:44--  http://192.168.1.73/index.html
> Connecting to 192.168.1.73:80... connected.
> HTTP request sent, awaiting response... Read error (Connection reset by
> peer) in headers.
> Retrying.
>
> --2015-02-22 07:09:45--  (try: 2)  http://192.168.1.73/index.html
> Connecting to 192.168.1.73:80... connected.
> HTTP request sent, awaiting response... Read error (Connection reset by
> peer) in headers.
> Retrying.
>
> --2015-02-22 07:09:47--  (try: 3)  http://192.168.1.73/index.html
> Connecting to 192.168.1.73:80... connected.
> HTTP request sent, awaiting response... Read error (Connection reset by
> peer) in headers.
> Retrying.
>
> tshark on ips box:
> 31 2015-02-22 07:09:46.143340  192.168.1.2 -> 192.168.1.73 TCP 74 43815→80
> [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201101 TSecr=0
> WS=128
> 32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2  TCP 74 80→43815
> [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=54730
> TSecr=1201101 WS=16
> 33 2015-02-22 07:09:46.144245  192.168.1.2 -> 192.168.1.73 TCP 66 43815→80
> [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101 TSecr=54730
> 34 2015-02-22 07:09:46.145281  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
> /index.html HTTP/1.1
> 35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2  TCP 66 80→43815
> [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731 TSecr=1201101
> 36 2015-02-22 07:09:46.145893  192.168.1.2 -> 192.168.1.73 TCP 54 43815→80
> [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
> 37 2015-02-22 07:09:49.147339  192.168.1.2 -> 192.168.1.73 TCP 74 43817→80
> [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201852 TSecr=0
> WS=128
> 38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2  TCP 74 80→43817
> [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=55481
> TSecr=1201852 WS=16
> 39 2015-02-22 07:09:49.148246  192.168.1.2 -> 192.168.1.73 TCP 66 43817→80
> [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852 TSecr=55481
> 40 2015-02-22 07:09:49.149275  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
> /index.html HTTP/1.1
> 41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2  TCP 66 80→43817
> [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482 TSecr=1201852
> 42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2  HTTP 557
> HTTP/1.1 200 OK  (text/html)
> 43 2015-02-22 07:09:49.151366  192.168.1.2 -> 192.168.1.73 TCP 54 43817→80
> [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
> 46 2015-02-22 07:09:53.153356  192.168.1.2 -> 192.168.1.73 TCP 74 43818→80
> [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1202853 TSecr=0
> WS=128
> 47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2  TCP 74 80→43818
> [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=56483
> TSecr=1202853 WS=16
> 48 2015-02-22 07:09:53.154244  192.168.1.2 -> 192.168.1.73 TCP 66 43818→80
> [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853 TSecr=56483
> 49 2015-02-22 07:09:53.155285  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
> /index.html HTTP/1.1
> 50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2  TCP 66 80→43818
> [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483 TSecr=1202854
> 51 2015-02-22 07:09:53.155921  192.168.1.2 -> 192.168.1.73 TCP 54 43818→80
> [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
>
> snort result using console:
> 02/22-07:09:46.145218  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
> [**] [Priority: 0] {TCP} 192.168.1.2:43815 -> 192.168.1.73:80
> 02/22-07:09:49.149219  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
> [**] [Priority: 0] {TCP} 192.168.1.2:43817 -> 192.168.1.73:80
> 02/22-07:09:53.155221  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
> [**] [Priority: 0] {TCP} 192.168.1.2:43818 -> 192.168.1.73:80
>
> and lastly, snort stats after kill:
>
> ===============================================================================
> Packet I/O Totals:
>    Received:           57
>    Analyzed:           57 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:           12                  <----------- injected RST I am
> guessing
>
> ===============================================================================
>
>
> ===============================================================================
> Action Stats:
>      Alerts:            6 ( 10.526%)
>      Logged:            6 ( 10.526%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:           50 ( 87.719%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:            7 ( 12.281%)
>      Ignore:            0 (  0.000%)
>       Retry:            0 (  0.000%)
>
> And there ya go.
>
> James
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
> --
> Regards,
> Rishabh Shah.
>
>
>
> ------------------------------------------------------------------------------
>
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>
> _______________________________________________
>
> Snort-users mailing list
>
> Snort-users at lists.sourceforge.net
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
>   Rishabh,
>
> How are you confirming that this isn't getting
> dropped/blocked/blacklisted?  Do you have a capture, or can you capture on
> the IPS to see what the traffic is looking like?
>
> James
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
>
>  --
>
>  Regards,
>
>  Rishabh Shah.
>
>
>
> ------------------------------------------------------------------------------
>
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>
> _______________________________________________
>
> Snort-users mailing list
>
> Snort-users at lists.sourceforge.net
>
> Go to this URL to change user options or unsubscribe:
>
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
> Snort-users list archive:
>
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Regards,
Rishabh Shah.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150224/4cd0f054/attachment.html>


More information about the Snort-users mailing list