[Snort-users] Issue with snort and Coldfusion

sdesort at ...11827... sdesort at ...11827...
Thu Feb 9 08:32:58 EST 2017


Hello. Please forgive me in advance as I have very little experience with snort and pfsense.

I am running snort 3.2.9.1_14 on a pfSense box we just put online. I have a Windows Coldfusion server and a MS SQL server running, among others, behind pfSense. I am running VRT free, GPLv2 and ET Open rules. I have quite a few rule categories enabled, including IIS/Coldfusion/os windows/webapp/ MSSQL, etc. Obviously these servers are part of $HOME_NET and are bypassed. I have not changed any of the other default snort settings after install.

With pfSense running and snort DISABLED, all is well.

I enabled snort in non-blocking mode for 3 weeks and monitored the logs and bypassed rules that appeared to be overly sensitive. All running well.

Last week, I enabled blocking.

Shortly thereafter, Coldfusion started misbehaving. Namely, jRun would suddenly start spawning threads, accumulating until jrun/java would run out of memory or stall. Killing jrun would clear the problem. This would happen without any common time gap. Sometimes 6 hours after a jrun restart, sometimes 30 hours. No discernable pattern.

Since jrun didn’t appear to log anything about the threads, I could only guess specific times it started by viewing the other Coldfusion logs to see when normal traffic logging stopped to determine an approximate time when the thread-buildup started. Using that info, I inspected the snort logs at various times and saw nothing at all in those logs that might shed light on something being blocked that would cause jrun to behave this way. I was not able to find any correlation between the jrun issue and a snort block that would cause this issue. And none of my internal LAN hosts showed up on the snort block list when the issue was in progress.

After going through this for about a week, I disabled snort blocking. jRun is happy now.

As I understand it, snort intercepts and blocks web requests BEFORE they reach their destination. For example, in a SQL injection rule hit, nothing in that request makes it through to the server. So I don’t see how jrun would be effected by such a block if no part of the http request reaches the destination when that rule is tripped. My thought was that a connection between the client and server was established, coldfusion was trying to run a query, but then AFTER that, the client was blocked, preventing the jrun thread from completing since it was cutoff from the client. But I don’t think that’s the case. Another possible cause for jrun threads to spool out of control is loss of communication with SQL. Both machines are on the same lan segment and subnet and are both bypassed in snort and pfsense. Communication between IIS/CF and SQL should not even be going through pfsense at all since they are on the same lan segment and subnet. It must be some communication between an external client and the Coldfusion server that snort is “interfering” with in such a way that causes this issue.

Short of disabling rule categories and re-enabling them one by one (there are so many), does anyone have any other thoughts on a possible cause or what other things I could do to troubleshoot? Sorry for the long-winded message… tried to include as much detail as possible.

Thanks

--
Scot





---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170209/01e7a200/attachment.html>


More information about the Snort-users mailing list