Ongoing reputation issues

[Dave Corsello <snort-users () wintertreemedia com>]

I was recently able to clear up problems with the reputation 
preprocessor on my home system by adding a couple of parameters to my 
snort start-up command.  I applied that change at a client location, but 
the reputation problems continue at the client.  The problem is that in 
an outbound HTTP request to a reputation-blocked IP address, the request 
fails, but pcaps show that the TCP handshake succeeds.  Also, snort 
alerts that the SYN and SYN ACK packets are blocked, even though they 
are not.  So snort is making a decision that is not followed by the NFQ 
DAQ and/or iptables for some reason.

Following are the contents of the main configuration files;  they are 
identical to the config files on my home office system except for the IP 
addresses.  My distro is Ubuntu server 10.04.3 LTS, my snort version is 
2.9.6.1 and my daq version is 2.0.2.  Snort was configured with 
--enable-sourcefire and --enable-reload.  DAQ was configured with 
defaults.  Can anyone spot a problem that would allow the TCP handshake 
to succeed with a reputation-blocked IP address?

#########################
/etc/network/interfaces
#########################

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
# The management network interface
auto eth2
iface eth2 inet static
         address a.a.a.a
         netmask 255.255.255.0
         network a.a.a.0
         broadcast a.a.a..255
         gateway a.a.a.1
       # dns-* options are implemented by the resolvconf package, if 
installed
         dns-nameservers a.a.a.b
         dns-search mydomain.com

# The bridge for Snort IPS
auto br0
iface br0 inet manual
         bridge-ports eth0 eth1
         pre-up iptables-restore < /etc/iptables.rules
#       pre-up iptables-restore < /etc/iptables-noqueue.rules

#########################
/etc/resolv.conf
#########################

nameserver a.a.a.b
nameserver a.a.a.c
domain mydomain.com
search mydomain.com

#########################
/etc/iptables.rules
#########################

# Generated by iptables-save v1.4.4 on Wed Apr  6 00:59:09 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -j NFQUEUE --queue-num 1
COMMIT
# Completed on Wed Apr  6 00:59:09 2011

#########################
/etc/init/snort.conf
#########################

# Snort Service

description     "Snort IPS"
author          "Dave Corsello"

start on (net-device-up
           and local-filesystems
           and runlevel [2345])
stop on runlevel [016]

respawn

exec /usr/local/bin/snort -Q --daq nfq --daq-var device=br0 --daq-var 
queue=1 -c /etc/snort/snort.conf -D


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!