Snort mailing list archives
Re: Snort unable to drop packets in inline mode
From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 22 Feb 2015 08:59:46 -0700
On Sun, 2015-02-22 at 20:47 +0530, Rishabh Shah wrote:
Hi James,
Thanks for looking in to this. In your case, the HTTP request is
getting blocked by snort. But the same is not happening in my case.
Any other command output that could help you figure out this issue?
On Sun, Feb 22, 2015 at 7:55 PM, James Lay <jlay () slave-tothe-box net>
wrote:
On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:
> Hi Snort-Experts,
>
>
> I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit).
> Snort is unable to drop packets, despite a drop alert being
> generated:
> 02/21-14:48:11.602240 [Drop] [**] [1:1112111:1] you are
> blocked [**] [Priority: 0]
> {TCP} 192.168.10.1:53013 -> 157.166.226.25:80
>
>
> -> Following rule in snort.rules file is getting triggered
> for the above alert log.
> drop tcp any any -> any 80 (msg: "you are blocked"; sid:
> 1112111; rev: 1;)
>
>
>
> ===============================================================================
> Action Stats:
> Alerts: 7 ( 1.118%)
> Logged: 7 ( 1.118%)
> Passed: 0 ( 0.000%)
> Limits:
> Match: 0
> Queue: 0
> Log: 0
> Event: 0
> Alert: 0
> Verdicts:
> Allow: 231 ( 36.435%)
> Block: 0 ( 0.000%)
> Replace: 0 ( 0.000%)
> Whitelist: 0 ( 0.000%)
> Blacklist: 394 ( 62.145%)
> Ignore: 0 ( 0.000%)
> Retry: 0 ( 0.000%)
> ===============================================================================
>
Interestingly, Blacklist means getting
dropped/blocked/not-allowed-through/whatever you want to call
it. Case in point below:
start line:
sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A
console -k none
[ Number of patterns truncated to 20 bytes: 0 ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth1:eth2".
Reload thread starting...
Reload thread started, thread 0x7f383d236700 (3419)
--== Initialization Complete ==--
snort rule:
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index
Get"; content:"index"; http_uri; sid:1000003; rev:1;)
wget from remote box:
[07:09:05 $] wget http://192.168.1.73/index.html
--2015-02-22 07:09:44-- http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection
reset by peer) in headers.
Retrying.
--2015-02-22 07:09:45-- (try: 2)
http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection
reset by peer) in headers.
Retrying.
--2015-02-22 07:09:47-- (try: 3)
http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection
reset by peer) in headers.
Retrying.
tshark on ips box:
31 2015-02-22 07:09:46.143340 192.168.1.2 -> 192.168.1.73 TCP
74 43815→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
TSval=1201101 TSecr=0 WS=128
32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2 TCP
74 80→43815 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460
SACK_PERM=1 TSval=54730 TSecr=1201101 WS=16
33 2015-02-22 07:09:46.144245 192.168.1.2 -> 192.168.1.73 TCP
66 43815→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101
TSecr=54730
34 2015-02-22 07:09:46.145281 192.168.1.2 -> 192.168.1.73
HTTP 186 GET /index.html HTTP/1.1
35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2 TCP
66 80→43815 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731
TSecr=1201101
36 2015-02-22 07:09:46.145893 192.168.1.2 -> 192.168.1.73 TCP
54 43815→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
37 2015-02-22 07:09:49.147339 192.168.1.2 -> 192.168.1.73 TCP
74 43817→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
TSval=1201852 TSecr=0 WS=128
38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2 TCP
74 80→43817 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460
SACK_PERM=1 TSval=55481 TSecr=1201852 WS=16
39 2015-02-22 07:09:49.148246 192.168.1.2 -> 192.168.1.73 TCP
66 43817→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852
TSecr=55481
40 2015-02-22 07:09:49.149275 192.168.1.2 -> 192.168.1.73
HTTP 186 GET /index.html HTTP/1.1
41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2 TCP
66 80→43817 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482
TSecr=1201852
42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2
HTTP 557 HTTP/1.1 200 OK (text/html)
43 2015-02-22 07:09:49.151366 192.168.1.2 -> 192.168.1.73 TCP
54 43817→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
46 2015-02-22 07:09:53.153356 192.168.1.2 -> 192.168.1.73 TCP
74 43818→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1
TSval=1202853 TSecr=0 WS=128
47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2 TCP
74 80→43818 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460
SACK_PERM=1 TSval=56483 TSecr=1202853 WS=16
48 2015-02-22 07:09:53.154244 192.168.1.2 -> 192.168.1.73 TCP
66 43818→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853
TSecr=56483
49 2015-02-22 07:09:53.155285 192.168.1.2 -> 192.168.1.73
HTTP 186 GET /index.html HTTP/1.1
50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2 TCP
66 80→43818 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483
TSecr=1202854
51 2015-02-22 07:09:53.155921 192.168.1.2 -> 192.168.1.73 TCP
54 43818→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
snort result using console:
02/22-07:09:46.145218 [Drop] [**] [1:1000003:1] HTTP Traffic
Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43815 ->
192.168.1.73:80
02/22-07:09:49.149219 [Drop] [**] [1:1000003:1] HTTP Traffic
Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43817 ->
192.168.1.73:80
02/22-07:09:53.155221 [Drop] [**] [1:1000003:1] HTTP Traffic
Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43818 ->
192.168.1.73:80
and lastly, snort stats after kill:
===============================================================================
Packet I/O Totals:
Received: 57
Analyzed: 57 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 12 <-----------
injected RST I am guessing
===============================================================================
===============================================================================
Action Stats:
Alerts: 6 ( 10.526%)
Logged: 6 ( 10.526%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 50 ( 87.719%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 7 ( 12.281%)
Ignore: 0 ( 0.000%)
Retry: 0 ( 0.000%)
And there ya go.
James
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT
Server
from Actuate! Instantly Supercharge Your Business Reports and
Dashboards
with Interactivity, Sharing, Native Excel Exports, App
Integration & more
Get technology previously reserved for billion-dollar
corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the
latest Snort news!
--
Regards,
Rishabh Shah.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Rishabh, How are you confirming that this isn't getting dropped/blocked/blacklisted? Do you have a capture, or can you capture on the IPS to see what the traffic is looking like? James
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort unable to drop packets in inline mode Rishabh Shah (Feb 21)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 22)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 22)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)
- Re: Snort unable to drop packets in inline mode Al Lewis (allewi) (Feb 23)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 25)
- Re: Snort unable to drop packets in inline mode Al Lewis (allewi) (Feb 25)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 25)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 22)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)