[Snort-users] Trigger anomalies (on LXC container versus host)

Al Lewis (allewi) allewi at ...589...
Sun May 3 19:03:55 EDT 2015

The pcaps are needed for replay and testing against. 

As a test... if you run snort from both of your other instances and replay the packets  the outputs should be the same when using the "-r" flag.

If the results are the same then you know you have a problem with your setup and with packets coming off the wire.

You could also replay the pcaps (using tcpreplay ) and look at the exit stats to see if the packets are making it into snort correctly.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: Chris [mailto:berzerkatives at ...11827...] 
Sent: Sunday, May 03, 2015 6:33 PM
To: Al Lewis (allewi)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Trigger anomalies (on LXC container versus host)

Hi Albert,

Absolutely, thanks for getting back to me, and I'd be more than happy to provide extra information.

I'm guessing pcaps wouldn't be of any use as running tcpdump on the container and hypervisor at the same time yielded the exact same packets (that one system flagged, and the other ignored). I've just taken a moment to diff the packet capture that would be expected to trigger Snort, and the only difference is a very slight timestamp difference.

Like I say, the configs are pretty much vanilla Debian with the smallest amount of tweaking for interface names, and not much else.
Should I just tar up /etc/snort and send it over?

On Sun, 3 May 2015 19:04:27 +0000
"Al Lewis (allewi)" <allewi at ...589...> wrote:

> Hello,
> 	It would help if you could provide some pcaps of the traffic in 
> question. Also a snort.conf or the rules that are involved.
> Thanks!
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
> -----Original Message-----
> From: Chris [mailto:berzerkatives at ...11827...]
> Sent: Sunday, May 03, 2015 9:31 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Trigger anomalies (on LXC container versus
> host)
> I'm observing a problematic difference in behaviour between two 
> instances of Snort that are configured identically (recursive diff'ed 
> their config dirs, and compared their initialisation outputs) aside 
> from the required differences (interfaces names) as one is running 
> inside an LXC container, listening to its single virtual interface, 
> and the other instance is on the hypervisor/base OS listening to the 
> bridge interface that all the containers are attached to. The 
> container receives traffic through NAT'ing rules on the hypervisor.
> What I see is that certain rules aren't being triggered on the 
> container instance of Snort, but are being triggered on the 
> hypervisor. This is despite being able to see the packets that trigger 
> these rules appear on both machines (hypervisor and
> container) using tcpdump to view the respective interfaces that Snort 
> is configured to listen on. Specifically, the rules that I've noticed 
> are being ignored are those that involve HTTP header inspection, like 
> GET /test.cgi.
> Like I said, I can see what look like the EXACT SAME packets on these 
> respective interfaces, so I've tried the following troubleshooting 
> without any luck.
>  * Switching off Snort on the hypervisor in case it was interfering.
>  * Creating a rule that triggers for any packet that is considered to
>    be web traffic (i.e. EXTERNAL any -> HTTP HTTP_PORT) and this
>    triggers for those packets without issue, so it's not a problem 
> with those variables being misconfigured.
>  * Wondering whether LXC doesn't properly isolate the interfaces
>    somehow, so I tried configuring the container Snort to use the
>    bridge interface on the hypervisor, however it correctly wasn't 
> able to use it (as it didn't exist inside the container, of course).
> So I'm stuck as to where to go next. The container is where I want 
> Snort to be running, as it's my load balancer (including SSL
> termination) so that's where I would like to detect and block rogue 
> traffic. The only reason that I run it on the hypervisor is to just 
> see whether any concerning traffic is bypassing the load balancer, and 
> whether undesirable traffic is being generated by services behind it.
> Thanks for your time, I really hope someone can shed some light on 
> this frustrating situation. Very happy to answer any questions about 
> the setup, including configuration specifics, though they're 
> essentially vanilla installions on Debian Wheezy straight out of apt.
> ----------------------------------------------------------------------
> -------- One dashboard for servers and applications across 
> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with
> 50+ applications Performance metrics, stats and reports that give you
> Actionable Insights Deep dive visibility with transaction tracing 
> using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________ Snort-users mailing 
> list Snort-users at lists.sourceforge.net Go to this URL to change user 
> options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!

More information about the Snort-users mailing list