Snort mailing list archives
preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission
From: Amm Snort <ammdispose-snort () yahoo com>
Date: Wed, 8 Aug 2012 20:18:15 +0800 (SGT)
Hello all, I am using snort 2.9.2.3 in inline (NFQUEUE) mode and kernel 3.4.6-1.fc16.x86_64 on Fedora 16. Everything works fine. Snort also records alerts. I am using normalize_tcp as follows: preprocessor normalize_tcp: ips ecn stream I am noticing peculiar problem. If, for some reason, first SYN packet is lost then snort drops all following retry-SYN packets. This I could track using tshark (monitor port 80) and my own web server somewhere on internet. I ran following test to find out issue: 1) Enable normalize_tcp as above and restart snort 2) Add DROP rule on webserver for port 80 i.e. it should not respond to packets on port 80 This indirectly imitates a packet loss 3) telnet webserver 80 4) Monitor tshark 5) tshark just shows one SYN packet whereas, it should in general resend SYN every 1, 4 and 8 seconds 6) Now comment (disable) normalize_tcp rule and restart snort 7) telnet webserver 80 8) Monitor tshark 9) This time tshark shows repeated SYN packets (which is as expected) So here I have faked the packet loss, but if in real situation then first SYN packet is lost due to some network problem then snort never allows to send next SYN packet. (retried SYN) And hence that connection times out eventually. This is true for all ports not just 80. Port 80 I have just taken as example. It also cause database connection timeouts, POP server timeouts in case first SYN was dropped. I believe "normalize_tcp" drops retry-SYNs because they do not match first SYN packet. So is there any work around for this? Or am I missing any configuration directive? Please do let me know, Thanks in advance. Amm Snort. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Amm Snort (Aug 08)
- Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Russ Combs (Aug 08)
- Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Amm Snort (Aug 08)
- Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Russ Combs (Aug 08)
- Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Joel Esler (Aug 09)
- Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Amm Snort (Aug 09)
- Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Amm Snort (Aug 10)
- Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Russ Combs (Aug 10)
- Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Amm Snort (Aug 08)
- Re: preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission Russ Combs (Aug 08)