[Snort-users] help - React keyword use to display message on web browser

Al Lewis (allewi) allewi at ...589...
Fri Apr 1 11:07:19 EDT 2016


Thanks. We will take a look.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Amul Patel [mailto:amulpatel.biz at ...11827...]
Sent: Friday, April 01, 2016 1:20 AM
To: Al Lewis (allewi)
Cc: wkitty42 at ...14940...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] help - React keyword use to display message on web browser

Hi Albert,

Its working only with --daq dump mode.

Can you please try once with NFQ ? There is difference  snort mode i.e. daq type dump & nfq.
I observed Its not working for nfq.

Config NFQ setting to test:

Update firewall rule as mentioned below which will move traffic to NFQ 1 and attached is the snort conf file to work with NFQ 1.

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j NFQUEUE --queue-num 1
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 80 -j NFQUEUE --queue-num 1

now run snort with following command :   snort -c /etc/snort/TEST_snort.conf -Q  -k none  -Acmg -H -U


now try curl to access url.

# curl google.co.in<http://google.co.in>




Please check which rules get triggered.

Here I see "established" keyword rules does not hit and only rule - drop tcp any any <> any any (msg:"NO FLOW";content:"GET";nocase; react:msg;sid:4; ) gets triggered but no react message sent because of connection was not established for snort.

04/01-05:16:06.414514  [Drop] [**] [1:4:0] NO FLOW [**] [Priority: 0] {TCP} 10.10.10.131:45708<http://10.10.10.131:45708> -> 216.58.197.67:80<http://216.58.197.67:80>
04/01-05:16:06.414514 10.10.10.131:45708<http://10.10.10.131:45708> -> 216.58.197.67:80<http://216.58.197.67:80>
TCP TTL:64 TOS:0x0 ID:55284 IpLen:20 DgmLen:128 DF
***AP*** Seq: 0x8A645331  Ack: 0xA37FF501  Win: 0xE5  TcpLen: 32
TCP Options (3) => NOP NOP TS: 17401029 537707313
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A  GET / HTTP/1.1..
48 6F 73 74 3A 20 67 6F 6F 67 6C 65 2E 63 6F 2E  Host: google.co<http://google.co>.
69 6E 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  in..User-Agent:
63 75 72 6C 2F 37 2E 34 33 2E 30 0D 0A 41 63 63  curl/7.43.0.<http://7.43.0.>.Acc
65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A              ept: */*....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Thanks,
Amul Patel


On Thu, Mar 31, 2016 at 7:59 PM, Al Lewis (allewi) <allewi at ...589...<mailto:allewi at ...589...>> wrote:
Works for me.. but ONLY when inline when using the drop keyword. You can use -Aconsole:test to see which packet it is triggering on.

[root at ...17428... snort-2.9.8.0-build_214]# less etc/FLOW-ISSUE.conf | grep drop
drop tcp any any <> any any (msg:"FLOW";flow:from_client,established;content:"GET";nocase; react:msg;sid:2; )
drop tcp any any <> any any (msg:"NO FLOW";content:"GET";nocase; react:msg;sid:3; )


[root at ...17428... snort-2.9.8.0-build_214]# ./bin/snort -c etc/FLOW-ISSUE.conf -Q --daq dump --daq-var load-mode=read-file -r etc/FLOW-ISSUE.pcap -Acmg -H -U -k none -q
03/31-13:22:02.747754  [Drop] [**] [1:3:0] NO FLOW [**] [Priority: 0] {TCP} 10.0.2.15:42250<http://10.0.2.15:42250> -> 74.125.22.105:80<http://74.125.22.105:80>
03/31-13:22:02.747754 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800 len:0x84
10.0.2.15:42250<http://10.0.2.15:42250> -> 74.125.22.105:80<http://74.125.22.105:80> TCP TTL:64 TOS:0x0 ID:5752 IpLen:20 DgmLen:118 DF
***AP*** Seq: 0x603FBC47  Ack: 0x177002  Win: 0x7210  TcpLen: 20
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A  GET / HTTP/1.1..
55 73 65 72 2D 41 67 65 6E 74 3A 20 63 75 72 6C  User-Agent: curl
2F 37 2E 34 30 2E 30 0D 0A 48 6F 73 74 3A 20 77  /7.40.0.<http://7.40.0.>.Host: w
77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 41  ww.google.com..A
63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A        ccept: */*....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


03/31-13:22:02.747754  [Drop] [**] [1:2:0] FLOW [**] [Priority: 0] {TCP} 10.0.2.15:42250<http://10.0.2.15:42250> -> 74.125.22.105:80<http://74.125.22.105:80>
03/31-13:22:02.747754 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800 len:0x84
10.0.2.15:42250<http://10.0.2.15:42250> -> 74.125.22.105:80<http://74.125.22.105:80> TCP TTL:64 TOS:0x0 ID:5752 IpLen:20 DgmLen:118 DF
***AP*** Seq: 0x603FBC47  Ack: 0x177002  Win: 0x7210  TcpLen: 20
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A  GET / HTTP/1.1..
55 73 65 72 2D 41 67 65 6E 74 3A 20 63 75 72 6C  User-Agent: curl
2F 37 2E 34 30 2E 30 0D 0A 48 6F 73 74 3A 20 77  /7.40.0.<http://7.40.0.>.Host: w
77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 41  ww.google.com..A
63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A        ccept: */*....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


[root at ...17428... snort-2.9.8.0-build_214]# ./bin/snort -c etc/FLOW-ISSUE.conf -r /tmp/FLOW-ISSUE.pcap -Acmg -H -U -k none -q
[root at ...17428... snort-2.9.8.0-build_214]# ./bin/snort -c etc/FLOW-ISSUE.conf -Q --daq dump --daq-var load-mode=read-file -r etc/FLOW-ISSUE.pcap -Aconsole:test -H -U -k none -q
4              1              3              0
4              1              2              0

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Amul Patel [mailto:amulpatel.biz at ...11827...<mailto:amulpatel.biz at ...11827...>]
Sent: Thursday, March 31, 2016 10:18 AM
To: wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>; snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>

Subject: Re: [Snort-users] help - React keyword use to display message on web browser

Thanks for detail explanations..
I need to clarify i.e. how and when snort rule will act on established connection?

Such as i have rule which shuld trigger if content keyword matched and send message to browser.
Since react will send messages to browser only if connection is established.

But when i use flow:established then even rule does not triggered. It means for snort, connection is still not established otherwise rule could have triggered.

So is there any configuration to make rule to be work with established connection? ?

Thanks
Amul Patel



Sent from my Samsung device


-------- Original message --------
From: wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>
Date: 31/03/2016 7:31 pm (GMT+05:30)
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] help - React keyword use to display message on web browser

On 03/31/2016 09:11 AM, Amul Patel wrote:
> Does any one know how snort know that connection is established ?

a connection is seen as established when the three-way handshake has been
completed... of course that only works for TCP connections as UDP doesn't
handshake like that...

an established connection is no longer established when one side or the other
sends the initial FIN teardown request... this is a four-way pattern of FIN,
ACK, FIN, ACK where the first FIN and last ACK are sent by one end of the
connection and the two middle ones are sent by the other end...

in many many cases, networks stacks drop the connection as soon as they send
their FIN and they don't wait for the ACK to arrive... that can cause what is
known as spurious firewall hits because the ACK is not associated with an
established connection and gets logged and dropped since it has no where to be
sent because the receiver has already shut down the connection and it not
listening any longer...

in other cases, one might send a RST to close the connection abruptly...

so, two ways to teardown a TCP connection... FIN(,ACK,FIN,ACK) and RST...

--
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



--



Thanks & Regards,
Amul Patel
07875648886
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160401/29ced734/attachment.html>


More information about the Snort-users mailing list