[Snort-users] Alerts in alert_fast arrive out-of-order?

Marcin Dulak marcin.dulak at ...11827...
Thu Jan 19 20:11:50 EST 2017


My setup:

$ rpm -q snort
snort-2.9.9.0-1.x86_64
$ rpm -q daq-modules  # comes from EPEL
daq-modules-2.0.6-1.el7.x86_64

run with nfq on the destination host running a load balancer on ports
BBB.BBB.BBB.BBB:80/443:

snort -d -Q -l /var/log/snort -c /etc/snort/snort.conf --pid-path
/var/log/snort --no-interface-pidfile -y -N

This is a test machine with almost no traffic.
In /var/log/snort/alert.fast, I see my test rule (similar to
http://ossectools.blogspot.dk/2011/04/network-intrusion-detection-systems.html
)

alert tcp any any -> any 80 (msg:"3456789"; content:"/3456789"; http_uri;
classtype:not-suspicious; sid:3456789;)

arriving usually at the expected intervals of 10 seconds, but other rules
get logged sometimes with a large delay (though most often 3 minutes),
causing
the timestamps of alerts in alert_fast to become out-of-order, for example:

01/19/17-16:34:32.826474  [**] [1:3456789:0] 3456789 [**] [Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} AAA.AAA.AAA.AAA:41720 ->
BBB.BBB.BBB.BBB:80
01/19/17-15:34:24.499626  [**] [1:20528:12] SERVER-APACHE Apache mod_proxy
reverse proxy information disclosure attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} AAA.AAA.AAA.AAA
:53494 -> BBB.BBB.BBB.BBB:443
01/19/17-15:35:04.454336  [**] [1:20528:12] SERVER-APACHE Apache mod_proxy
reverse proxy information disclosure attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} AAA.AAA.AAA.AAA
:53496 -> BBB.BBB.BBB.BBB:443
01/19/17-16:34:42.891249  [**] [1:3456789:0] 3456789 [**] [Classification:
Not Suspicious Traffic] [Priority: 3] {TCP} AAA.AAA.AAA.AAA:41758 ->
BBB.BBB.BBB.BBB:80

Snort reports all received packets were analyzed:

Packet I/O Totals:
   Received:        90404
   Analyzed:        90404 (100.000%)

I see a similar loss of ordering when logging in unified2, and suspect my
configuration is incorrect, snort.conf attached.

Some questions:

1. I run snort on the destination host and direct the traffic received on
BBB.BBB.BBB.BBB:80/443 (only these ports) to NFQUEUE using netfilter with
connection tracking
http://serverfault.com/questions/533704/why-is-iptables-rejecting-the-second-and-subsequent-fragments-of-an-allowed-pack
Does usual disabling of offloading NIC capabilities
https://www.snort.org/documents/possible-packet-loss-during-reassembly-for-snort-ids-ips-sensors
apply to this case?

2. Does the number of ports listed in HTTP_PORTS and the preprocessors
stream5_global, http_inspect_server, ssl have any influence on the
performance?

3. There can be both http/https services behind the loadbalancer ports (on
subsequent network subinterfaces
of the interface used for NFQUEUE). Is using both 80/443 ports in both
preprocessor http_inspect_server and ssl correct?

Best regards,

Marcin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170120/5081738c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 22220 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170120/5081738c/attachment.obj>


More information about the Snort-users mailing list