Snort mailing list archives
Re: Snort unable to drop packets in inline mode
From: Rishabh Shah <rishabh420 () gmail com>
Date: Sun, 22 Feb 2015 23:02:48 +0530
Hi James, Yes, I do have a capture on my Windows 7 PC which is sitting behind Snort(linux). -> Snort command used: snort -c /etc/snort/snort.conf -Q -i eth1:eth0 --daq afpacket -k none -A fast -> Traffic from Windows 7 pc: %wget cnn.com --2015-02-22 22:54:36-- http://cnn.com/ Resolving cnn.com (cnn.com)... 157.166.226.26, 157.166.226.25 Connecting to cnn.com (cnn.com)|157.166.226.26|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://www.cnn.com/ [following] --2015-02-22 22:54:37-- http://www.cnn.com/ Resolving www.cnn.com (www.cnn.com)... 103.245.222.185 Connecting to www.cnn.com (www.cnn.com)|103.245.222.185|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://edition.cnn.com/ [following] --2015-02-22 22:54:38-- http://edition.cnn.com/ Resolving edition.cnn.com (edition.cnn.com)... 103.245.222.185 Reusing existing connection to www.cnn.com:80. *HTTP request sent, awaiting response... 200 OK* Length: 214393 (209K) [text/html] Saving to: ‘index.html.6’ 100%[================================================================================>] 214,393 321KB/s in 0.7s 2015-02-22 22:54:39 (321 KB/s) - ‘index.html.6’ saved [214393/214393] Alert on Snort: *02/22-22:54:36.628789 [Drop] [**] [1:1112111:1] you are blocked [**] [Priority: 0] {TCP} 192.168.10.1:54980 <http://192.168.10.1:54980> -> 103.245.222.185:80 <http://103.245.222.185:80>* On Sun, Feb 22, 2015 at 9:29 PM, James Lay <jlay () slave-tothe-box net> wrote:
On Sun, 2015-02-22 at 20:47 +0530, Rishabh Shah wrote:
Hi James,
Thanks for looking in to this. In your case, the HTTP request is getting
blocked by snort. But the same is not happening in my case. Any other
command output that could help you figure out this issue?
On Sun, Feb 22, 2015 at 7:55 PM, James Lay <jlay () slave-tothe-box net>
wrote:
On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:
Hi Snort-Experts,
I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is unable
to drop packets, despite a drop alert being generated:
02/21-14:48:11.602240 [Drop] [**] [1:1112111:1] you are blocked [**]
[Priority: 0] {TCP} 192.168.10.1:53013 -> 157.166.226.25:80
<http://157.166.226.25/>
-> Following rule in snort.rules file is getting triggered for the above
alert log.
drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev: 1;)
===============================================================================
Action Stats:
Alerts: 7 ( 1.118%)
Logged: 7 ( 1.118%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 231 ( 36.435%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
* Blacklist: 394 ( 62.145%)*
Ignore: 0 ( 0.000%)
Retry: 0 ( 0.000%)
===============================================================================
Interestingly, Blacklist means getting
dropped/blocked/not-allowed-through/whatever you want to call it. Case in
point below:
start line:
sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k none
[ Number of patterns truncated to 20 bytes: 0 ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth1:eth2".
Reload thread starting...
Reload thread started, thread 0x7f383d236700 (3419)
--== Initialization Complete ==--
snort rule:
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
content:"index"; http_uri; sid:1000003; rev:1;)
wget from remote box:
[07:09:05 $] wget http://192.168.1.73/index.html
--2015-02-22 07:09:44-- http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by
peer) in headers.
Retrying.
--2015-02-22 07:09:45-- (try: 2) http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by
peer) in headers.
Retrying.
--2015-02-22 07:09:47-- (try: 3) http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by
peer) in headers.
Retrying.
tshark on ips box:
31 2015-02-22 07:09:46.143340 192.168.1.2 -> 192.168.1.73 TCP 74 43815→80
[SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201101 TSecr=0
WS=128
32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2 TCP 74 80→43815
[SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=54730
TSecr=1201101 WS=16
33 2015-02-22 07:09:46.144245 192.168.1.2 -> 192.168.1.73 TCP 66 43815→80
[ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101 TSecr=54730
34 2015-02-22 07:09:46.145281 192.168.1.2 -> 192.168.1.73 HTTP 186 GET
/index.html HTTP/1.1
35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2 TCP 66 80→43815
[ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731 TSecr=1201101
36 2015-02-22 07:09:46.145893 192.168.1.2 -> 192.168.1.73 TCP 54 43815→80
[RST, ACK] Seq=121 Ack=1 Win=0 Len=0
37 2015-02-22 07:09:49.147339 192.168.1.2 -> 192.168.1.73 TCP 74 43817→80
[SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201852 TSecr=0
WS=128
38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2 TCP 74 80→43817
[SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=55481
TSecr=1201852 WS=16
39 2015-02-22 07:09:49.148246 192.168.1.2 -> 192.168.1.73 TCP 66 43817→80
[ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852 TSecr=55481
40 2015-02-22 07:09:49.149275 192.168.1.2 -> 192.168.1.73 HTTP 186 GET
/index.html HTTP/1.1
41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2 TCP 66 80→43817
[ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482 TSecr=1201852
42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2 HTTP 557
HTTP/1.1 200 OK (text/html)
43 2015-02-22 07:09:49.151366 192.168.1.2 -> 192.168.1.73 TCP 54 43817→80
[RST, ACK] Seq=121 Ack=1 Win=0 Len=0
46 2015-02-22 07:09:53.153356 192.168.1.2 -> 192.168.1.73 TCP 74 43818→80
[SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1202853 TSecr=0
WS=128
47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2 TCP 74 80→43818
[SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=56483
TSecr=1202853 WS=16
48 2015-02-22 07:09:53.154244 192.168.1.2 -> 192.168.1.73 TCP 66 43818→80
[ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853 TSecr=56483
49 2015-02-22 07:09:53.155285 192.168.1.2 -> 192.168.1.73 HTTP 186 GET
/index.html HTTP/1.1
50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2 TCP 66 80→43818
[ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483 TSecr=1202854
51 2015-02-22 07:09:53.155921 192.168.1.2 -> 192.168.1.73 TCP 54 43818→80
[RST, ACK] Seq=121 Ack=1 Win=0 Len=0
snort result using console:
02/22-07:09:46.145218 [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.2:43815 -> 192.168.1.73:80
02/22-07:09:49.149219 [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.2:43817 -> 192.168.1.73:80
02/22-07:09:53.155221 [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.2:43818 -> 192.168.1.73:80
and lastly, snort stats after kill:
===============================================================================
Packet I/O Totals:
Received: 57
Analyzed: 57 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 12 <----------- injected RST I am
guessing
===============================================================================
===============================================================================
Action Stats:
Alerts: 6 ( 10.526%)
Logged: 6 ( 10.526%)
Passed: 0 ( 0.000%)
Limits:
Match: 0
Queue: 0
Log: 0
Event: 0
Alert: 0
Verdicts:
Allow: 50 ( 87.719%)
Block: 0 ( 0.000%)
Replace: 0 ( 0.000%)
Whitelist: 0 ( 0.000%)
Blacklist: 7 ( 12.281%)
Ignore: 0 ( 0.000%)
Retry: 0 ( 0.000%)
And there ya go.
James
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
--
Regards,
Rishabh Shah.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations,
FREEhttp://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing listSnort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Rishabh,
How are you confirming that this isn't getting
dropped/blocked/blacklisted? Do you have a capture, or can you capture on
the IPS to see what the traffic is looking like?
James
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
-- Regards, Rishabh Shah.
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort unable to drop packets in inline mode Rishabh Shah (Feb 21)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 22)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 22)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)
- Re: Snort unable to drop packets in inline mode Al Lewis (allewi) (Feb 23)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 25)
- Re: Snort unable to drop packets in inline mode Al Lewis (allewi) (Feb 25)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 25)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 22)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)