Snort mailing list archives
Ongoing reputation issues
From: Dave Corsello <snort-users () wintertreemedia com>
Date: Wed, 21 May 2014 11:23:05 -0400
I was recently able to clear up problems with the reputation preprocessor on my home system by adding a couple of parameters to my snort start-up command. I applied that change at a client location, but the reputation problems continue at the client. The problem is that in an outbound HTTP request to a reputation-blocked IP address, the request fails, but pcaps show that the TCP handshake succeeds. Also, snort alerts that the SYN and SYN ACK packets are blocked, even though they are not. So snort is making a decision that is not followed by the NFQ DAQ and/or iptables for some reason. Following are the contents of the main configuration files; they are identical to the config files on my home office system except for the IP addresses. My distro is Ubuntu server 10.04.3 LTS, my snort version is 2.9.6.1 and my daq version is 2.0.2. Snort was configured with --enable-sourcefire and --enable-reload. DAQ was configured with defaults. Can anyone spot a problem that would allow the TCP handshake to succeed with a reputation-blocked IP address? ######################### /etc/network/interfaces ######################### # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface # The management network interface auto eth2 iface eth2 inet static address a.a.a.a netmask 255.255.255.0 network a.a.a.0 broadcast a.a.a..255 gateway a.a.a.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers a.a.a.b dns-search mydomain.com # The bridge for Snort IPS auto br0 iface br0 inet manual bridge-ports eth0 eth1 pre-up iptables-restore < /etc/iptables.rules # pre-up iptables-restore < /etc/iptables-noqueue.rules ######################### /etc/resolv.conf ######################### nameserver a.a.a.b nameserver a.a.a.c domain mydomain.com search mydomain.com ######################### /etc/iptables.rules ######################### # Generated by iptables-save v1.4.4 on Wed Apr 6 00:59:09 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -j NFQUEUE --queue-num 1 COMMIT # Completed on Wed Apr 6 00:59:09 2011 ######################### /etc/init/snort.conf ######################### # Snort Service description "Snort IPS" author "Dave Corsello" start on (net-device-up and local-filesystems and runlevel [2345]) stop on runlevel [016] respawn exec /usr/local/bin/snort -Q --daq nfq --daq-var device=br0 --daq-var queue=1 -c /etc/snort/snort.conf -D ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Ongoing reputation issues Dave Corsello (May 21)
- Re: Ongoing reputation issues James Lay (May 21)
- Re: Ongoing reputation issues Dave Corsello (May 21)
- Re: Ongoing reputation issues James Lay (May 21)
- Message not available
- Message not available
- Message not available
- Re: Ongoing reputation issues Dave Corsello (May 22)
- Re: Ongoing reputation issues Dave Corsello (May 21)
- Re: Ongoing reputation issues James Lay (May 21)