[Snort-users] Alerts in alert_fast arrive out-of-order?

Marcin Dulak marcin.dulak at ...11827...
Mon Jan 23 10:46:13 EST 2017


Hi,

anyone had time to look at this problem and the configuration questions?

Marcin

On Fri, Jan 20, 2017 at 2:11 AM, Marcin Dulak <marcin.dulak at ...11827...>
wrote:

> My setup:
>
> $ rpm -q snort
> snort-2.9.9.0-1.x86_64
> $ rpm -q daq-modules  # comes from EPEL
> daq-modules-2.0.6-1.el7.x86_64
>
> run with nfq on the destination host running a load balancer on ports
> BBB.BBB.BBB.BBB:80/443:
>
> snort -d -Q -l /var/log/snort -c /etc/snort/snort.conf --pid-path
> /var/log/snort --no-interface-pidfile -y -N
>
> This is a test machine with almost no traffic.
> In /var/log/snort/alert.fast, I see my test rule (similar to
> http://ossectools.blogspot.dk/2011/04/network-intrusion-
> detection-systems.html)
>
> alert tcp any any -> any 80 (msg:"3456789"; content:"/3456789"; http_uri;
> classtype:not-suspicious; sid:3456789;)
>
> arriving usually at the expected intervals of 10 seconds, but other rules
> get logged sometimes with a large delay (though most often 3 minutes),
> causing
> the timestamps of alerts in alert_fast to become out-of-order, for example:
>
> 01/19/17-16:34:32.826474  [**] [1:3456789:0] 3456789 [**] [Classification:
> Not Suspicious Traffic] [Priority: 3] {TCP} AAA.AAA.AAA.AAA:41720 ->
> BBB.BBB.BBB.BBB:80
> 01/19/17-15:34:24.499626  [**] [1:20528:12] SERVER-APACHE Apache mod_proxy
> reverse proxy information disclosure attempt [**] [Classification:
> Attempted Information Leak] [Priority: 2] {TCP} AAA.AAA.AAA.AAA
> :53494 -> BBB.BBB.BBB.BBB:443
> 01/19/17-15:35:04.454336  [**] [1:20528:12] SERVER-APACHE Apache mod_proxy
> reverse proxy information disclosure attempt [**] [Classification:
> Attempted Information Leak] [Priority: 2] {TCP} AAA.AAA.AAA.AAA
> :53496 -> BBB.BBB.BBB.BBB:443
> 01/19/17-16:34:42.891249  [**] [1:3456789:0] 3456789 [**] [Classification:
> Not Suspicious Traffic] [Priority: 3] {TCP} AAA.AAA.AAA.AAA:41758 ->
> BBB.BBB.BBB.BBB:80
>
> Snort reports all received packets were analyzed:
>
> Packet I/O Totals:
>    Received:        90404
>    Analyzed:        90404 (100.000%)
>
> I see a similar loss of ordering when logging in unified2, and suspect my
> configuration is incorrect, snort.conf attached.
>
> Some questions:
>
> 1. I run snort on the destination host and direct the traffic received on
> BBB.BBB.BBB.BBB:80/443 (only these ports) to NFQUEUE using netfilter with
> connection tracking
> http://serverfault.com/questions/533704/why-is-
> iptables-rejecting-the-second-and-subsequent-fragments-of-an-allowed-pack
> Does usual disabling of offloading NIC capabilities https://www.snort.org/
> documents/possible-packet-loss-during-reassembly-for-snort-ids-ips-sensors
> apply to this case?
>
> 2. Does the number of ports listed in HTTP_PORTS and the preprocessors
> stream5_global, http_inspect_server, ssl have any influence on the
> performance?
>
> 3. There can be both http/https services behind the loadbalancer ports (on
> subsequent network subinterfaces
> of the interface used for NFQUEUE). Is using both 80/443 ports in both
> preprocessor http_inspect_server and ssl correct?
>
> Best regards,
>
> Marcin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170123/dce503e6/attachment.html>


More information about the Snort-users mailing list