Snort mailing list archives
Re: Fwd: Snort blocking connection but not logging the drop
From: Cody Brugh <cbrugh () gmail com>
Date: Mon, 12 May 2014 16:09:00 -0400
Attached. On Mon, May 12, 2014 at 4:05 PM, Russ Combs (rucombs) <rucombs () cisco com>wrote:
------------------------------ *From:* Cody Brugh [cbrugh () gmail com] *Sent:* Monday, May 12, 2014 3:59 PM *To:* Russ Combs (rucombs) *Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop Alright, I done that and run my command but see nothing... looking at the console and /var/log/messages... /usr/local/bin/snort -M -A console -q --daq afpacket -i eth2:eth3 -Q --daq-var buffer_size_mb=2048MB -c /etc/snort/snort.conf * Ok, do this and send the whole output file (snort.log) after stopping with ctl-c: /usr/local/bin/snort -A cmg --daq afpacket -i eth2:eth3 -Q --daq-var buffer_size_mb=2048MB -c /etc/snort/snort.conf &> snort.log This is very odd On Mon, May 12, 2014 at 3:24 PM, Russ Combs (rucombs) <rucombs () cisco com>wrote:------------------------------ *From:* Cody Brugh [cbrugh () gmail com] *Sent:* Monday, May 12, 2014 3:01 PM *To:* Russ Combs (rucombs) *Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop That's the thing, I don't know what rule is being hit as it doesn't show in sborby. Is there a way to show the rule that was triggered? Maybe that is done with the perf monitoring stuff? * I can't help you with Snorby. Since this is easy for you to reproduce, I suggest running Snort from the command line directly, no scripts, and no -M option. Add -A cmg -q to your command line. You will see the alert. On May 12, 2014, at 2:59 PM, "Russ Combs (rucombs)" <rucombs () cisco com> wrote: ------------------------------ *From:* Cody Brugh [cbrugh () gmail com] *Sent:* Monday, May 12, 2014 2:53 PM *To:* Russ Combs (rucombs) *Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop I just disabled the tcp normalize and cleaned up some pre-processeors that I don't need, however I am still being dropped when trying to connect to the API with snort ON. Attached are the stats from a quick run where I tried to connect 4-5 times. Let me know if you see something or other suggestions. * You have 1 alert, 2 blocks, 1 blacklisted, and 2 injects. I would start by changing the rule that is firing from drop to alert. Thanks, Cody On Mon, May 12, 2014 at 1:05 PM, Russ Combs (rucombs) <rucombs () cisco com>wrote:------------------------------ *From:* Cody Brugh [cbrugh () gmail com] *Sent:* Monday, May 12, 2014 12:53 PM *To:* Russ Combs (rucombs) *Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop What all is the normalizer used for? Will turning it off make me vulnerable? * The normalizer does various scrubbing and blocking to improve detection. You need to assess your security position with or without it. For details on the normalizer, check here: http://manual.snort.org/node168.html. Just trying to understand what that mechanism does. Thanks, Cody On May 12, 2014, at 12:02 PM, "Russ Combs (rucombs)" <rucombs () cisco com> wrote: The normalizer is blocking packets: tcp::block: 272 You can prevent that by commenting out the normalize_tcp line from your conf. You can debug it a little further by enabling all preprocessor rules by adding / uncommenting them in your conf or by adding this to your conf: config autogenerate_preprocessor_decoder_rules Then you should see why the normalizer is blocking. When I do that with the pcap you sent I see a bad TCP reset. ------------------------------ *From:* Cody Brugh [cbrugh () gmail com] *Sent:* Monday, May 12, 2014 11:52 AM *To:* Russ Combs (rucombs) *Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop Attached is the shutdown stats. Let me know what you find/suggest. Thanks, Cody On Mon, May 12, 2014 at 11:41 AM, Russ Combs (rucombs) < rucombs () cisco com> wrote:------------------------------ *From:* Cody Brugh [cbrugh () gmail com] *Sent:* Monday, May 12, 2014 11:18 AM *To:* Russ Combs (rucombs) *Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop How do I gather those stats? Are you looking for this? http://manual.snort.org/node20.html * Not those. Do a clean start, run your traffic, and then stop Snort or give it a usr1 signal and check the output. Check console or syslog depending on how you run. Thanks, Cody On Mon, May 12, 2014 at 11:05 AM, Russ Combs (rucombs) < rucombs () cisco com> wrote:What are your shutdown / usr1 stats? Do they show normalizer blocks? ------------------------------ *From:* Cody Brugh [cbrugh () gmail com] *Sent:* Monday, May 12, 2014 10:29 AM *To:* Russ Combs (rucombs) *Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop Can you confirm you received my PCAP file? I would really like to get this issue resolved so I can work with their API. Let me know the status please. On Fri, May 9, 2014 at 9:02 AM, Cody Brugh <cbrugh () gmail com> wrote:Attached is the pcap of the stamps.com packet capture... can someone check and see what I should do? Thanks, Cody On Fri, May 9, 2014 at 8:19 AM, Russ Combs (rucombs) < rucombs () cisco com> wrote:------------------------------ *From:* Joel Esler (jesler) *Sent:* Thursday, May 08, 2014 8:51 PM *To:* Cody Brugh *Cc:* snort-devel () lists sourceforge net *Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop Can you send your configuration file, and a packet capture of the session? * Can you also send your usr1 / shutdown stats? -- Joel Esler Sent from my iPhone On May 8, 2014, at 20:49, "Cody Brugh" <cbrugh () gmail com> wrote: Hi, Our dev team is trying to work with stamps.com API however our in-line snort box is blocking the return connection for unknown reasons. When I turn off snort the connection flows perfectly. Looking at snorby I see no event of the connection being dropped. I've included the command we are running from a internal server that is behind the snort. I also included the tcpdump from this same server for the connection. wget https://216.52.211.91/label/health.aspx --2014-05-08 20:37:33-- https://216.52.211.91/label/health.aspx Connecting to 216.52.211.91:443... connected. 20:37:33.443962 IP 10.2.2.1.52661 > 216.52.211.91.443: Flags [F.], seq 3298140140, ack 2463587275, win 8208, options [nop,nop,TS val 2824990869 ecr 3731400338], length 0 20:37:33.444478 IP 216.52.211.91.443 > 10.2.2.1.52661: Flags [R.], seq 1, ack 1, win 8208, length 0 20:37:33.989510 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [S], seq 3306929108, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 2824990923 ecr 0], length 0 20:37:34.071548 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [S.], seq 361712399, ack 3306929109, win 4140, options [mss 1380,nop,wscale 3,nop,nop,TS val 3731482846 ecr 2824990923,sackOK,eol], length 0 20:37:34.071610 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack 1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 0 20:37:34.071750 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [P.], ack 1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 139 20:37:34.154367 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length 1368 20:37:34.154462 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack 140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length 1368 20:37:34.154490 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack 2737, win 7877, options [nop,nop,TS val 2824990940 ecr 3731482928], length 0 20:37:44.153373 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [R.], seq 4233:4288, ack 140, win 534, length 55 any help or suggestions would be great, I would like to disable the rule that is blocking this connection but like I said I cannot see which rule blocked it. Thanks. ------------------------------------------------------------------------------ Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
snort.log
Description:
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Fwd: Snort blocking connection but not logging the drop, (continued)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
- Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 13)
- Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 13)