Snort mailing list archives
Re: help - React keyword use to display message on web browser
From: Amul Patel <amulpatel.biz () gmail com>
Date: Thu, 31 Mar 2016 18:41:48 +0530
Hello Team, Looks flow:established; keyword is not triggering rule. drop tcp any any <> any any (msg:"Test_snort_react_msg"; flow:from_client,established;content:"GET";nocase; react:msg;sid:2; ) i think if above rule work fine with keyword flow:from_client,established;content:" then issue should get resolved. But snort is not treating connection as established when above rule is written and curl command execute successful without hitting the rule. # curl google.co.in <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="http://www.google.co.in/">here</A>. </BODY></HTML> # Looks issue is with ";flow:from_client,established". Does any one know how snort know that connection is established ? Thanks, Amul Patel On Thu, Mar 31, 2016 at 3:10 PM, Amul Patel <amulpatel.biz () gmail com> wrote:
Hello Team, After debugging I see that if (p->packet_flags & PKT_STREAM_EST) condition was failed when I use NFQ with inline. I see packet_flags is set to PKT_STREAM_UNEST_UNI in file Stream6/stream_common.c instead of PKT_STREAM_EST so result is if condition was failed. and if condition if (p->packet_flags & PKT_STREAM_EST) in detection-plugins/sp_react.c was failed. why PKT_STREAM_EST is not set when following rule is used?? drop tcp any any <> any any (msg:"Test_snort_react_msg";content:"GET";nocase; react:msg;sid:2; ) why following rule does not hit when we GET keyword is used along with flow:from_client,established; ?? drop tcp any any <> any any (msg:"Test_snort_react_msg";flow:from_client,established;content:"GET";nocase; react:msg;sid:2; ) To test I just commented if condtion and I see its working and sending message to client. but still i dont see it on browser (its receive on machine and can be see in wireshark) because in response because source port is changed from 80 to 1(tcpmux) hence browser do not displayed message (due to wrong source port) this workaround can not be used. default HTML working logs for reference: # curl google.co.in <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Access Denied</title> </head> <body> <h1>Access Denied</h1> <p>You are attempting to access a forbidden site.<br />Consult your system administrator for details.</p> </body> </html> # Thanks, Amul Patel On Tue, Mar 29, 2016 at 6:54 PM, Amul Patel <amulpatel.biz () gmail com> wrote:Hi Albert, updates on --daq dump usage. This is working only with given TEST.pcap file and i can see inline-out.pcap i.e. data source from pcap file. i.e. command - ./snort -c /etc/snort/TEST.conf --daq-dir=/usr/lib/daq -Q --daq dump --daq-var load-mode=read-file -r /etc/snort/TEST.pcap -l. -k none but if i use --daq dump with NFQ in inline mode with TEST_snort.conf then rule does not hit and I don't see any useful info even wget communication in inline-out.pcap. please note that TEST.conf is updated one i.e. TEST_snort.conf which i modify accordingly. Below command take input data source from NFQ and dump inline-out.pcap. The problem with this config that communication is blocked in snort and packet does not flow from snort. I guess mentioned command is correct to dump inline-out.pcap with NFQ data source in inline mode: ./snort -c /etc/snort/TEST.conf --daq-dir=/usr/lib/daq -Q --daq dump -k none Thanks, Amul Patel On Tue, Mar 29, 2016 at 5:50 PM, Amul Patel <amulpatel.biz () gmail com> wrote:Hi Albert, Attached is the TEST_snort.conf which i modified which one you shared. I have updated conf for NFQ & other output plugin. Since I am using linux machine so changed polity to linux. preprocessor stream5_tcp: \ policy linux, \ Snort is dumping tcpdump logs to following location as configured in conf file. output log_tcpdump: /amul/snort_tcp_dump.pcap rule : alert tcp any any -> any any (msg:"Test_snort_react_msg";react: msg;sid:100000002; ) following rule does not hit when i use http request using wget. alert tcp any any -> any any (msg:"Test_snort_react_msg";flow:to_client,established;react: msg;sid:100000002; ) There are other rules in conf file which are commented for test purpose. following command is using to run snort: /usr/bin/snort -Q -k none -dev -c /etc/snort/TEST.conf To test I am downloading test file with wget command so that snort rule should be hit. and rule is working as its blocking the downloading. If we change rule then it also send tcp rest instead of connection refused. amul# wget -O /dev/null http://cachefly.cachefly.net/1mb.test Connecting to cachefly.cachefly.net (205.234.175.175:80) wget: can't connect to remote host (205.234.175.175): Connection refused amul# alert.csv logs 03/29-17:32:13.477947 ,1,100000002,0,"Test_snort_react_msg",TCP,10.10.10.131,55888,205.234.175.175,80,,,,******S*,0x2602A84B,0x0,,0x7210,64,0,62121,60,61440,,,, snort_tcp_dump.pcap.1459253369 is the tcpdump created by snort.(only SYN packet can be see.. ) I am attaching anther snippet GetPacketNotSent.jpg which is captured for another react rule and i see that rule works file as it block the wget but i dont see HTTP /GET frame (blocked by snort ) in tcpdump which should be there post to tcp connetion..and seems because of this react response is not working. rule used: drop tcp any any -> any any (msg:"Test_snort_react_msg";content:"GET";nocase;react: msg;sid:1; ) Hope this information will be useful to you. Thanks, Amul Patel On Tue, Mar 29, 2016 at 4:02 PM, Al Lewis (allewi) <allewi () cisco com> wrote:If you are getting the page in the inline.out when using --daq dump and not on your network there maybe something wrong with your setup/configuration. You may want to focus on getting an alert first if your rule doesn’t work. Output to the console first then try writing to the logs, then to csv etc.. If you can, please provide a sample pcap/conf that doesn’t work. Thanks. Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Amul Patel [mailto:amulpatel.biz () gmail com] *Sent:* Tuesday, March 29, 2016 2:33 AM *To:* Al Lewis (allewi) *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] help - React keyword use to display message on web browser Hi Albert, I tried with inline mode but do not get success and never see react response in tcpdump. Even I used given TEST.conf and update with my single rule. If you have set up then can you please check once in inline mode and block any content in rule as i did given rule. In this case does you get react response? rule for the reference : drop tcp any any -> any any (msg: "GET Packet is not allowed";content:"GET";nocase;sid:1;react:msg;) if use flow keyword with established as below then even rule does not hit. I have configure csv out put to check rule hits or not where i can see logs. alert tcp any any -> any any (msg:"PATEL";flow:to_server,,established;content:"GET";nocase;react: msg;sid:1; ) It seems rule need to be changed as GET packet does not appear in tcp dump if we block GET content. Thanks, Amul Patel On Mon, Mar 28, 2016 at 5:59 PM, Amul Patel <amulpatel.biz () gmail com> wrote: Thanks a lot Albert for providing samples to understand. I used the given files & executed in my system and I can see the HTML response in inline-out.pcap successfully. Now i am trying to debug with my conf file with NFQ. I will keep update you on the same. PS : I was using correct rule but by mistake i paste the rule which has comma. Thansk for informing. I am using following correct rule only. drop tcp any any -> any any (msg: "GET Packet is not allowed";content:"GET";nocase;classtype:inappropriate-content;sid:9787879; *react:msg*) On Mon, Mar 28, 2016 at 4:20 PM, Al Lewis (allewi) <allewi () cisco com> wrote: Sure. Inline-out.pcap is attached as well as the example I used to get the page to generate. I ran it with: ./bin/snort -c etc/TEST.conf -Q --daq dump --daq-var load-mode=read-file -r etc/TEST.pcap -l. -k none -q Try this and see if you can get the page to generate. Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Amul Patel [mailto:amulpatel.biz () gmail com] *Sent:* Monday, March 28, 2016 3:32 AM *To:* Al Lewis (allewi) *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] help - React keyword use to display message on web browser Thanks Albert quick update, I am using NFQ as data packet source & already check parallel tcpdump command on given interface and generated .pcap file. I opened pcap in wire-shark tool but I did not see any packet related to message on pcap file. It seems snort is not sending message. Do you have any sample pcap file which show the message is sent by snort for the reference ? Thanks , Amul Patel On Fri, Mar 25, 2016 at 6:04 PM, Al Lewis (allewi) <allewi () cisco com> wrote: Hello, Try running snort with “--daq dump --daq-var load-mode=read-file -Q” so it will dump a file “inline-out.pcap”. You can check that file to see if the page is being sent. That should tell you if there is something wrong with the config or network related. Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Amul Patel [mailto:amulpatel.biz () gmail com] *Sent:* Friday, March 25, 2016 5:59 AM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] help - React keyword use to display message on web browser Hello Team, I need help to use of react keyword to display message (default or user defined) to web browser. I am using snort version 2.9.8.0 in linux machine. I have enabled required command option during configuration as mentioned below: ./configure --enable-active-response --enable-react --enable-flexresp3 \ I am executing snort as inline mode - /usr/bin/snort -Q -k none -v -dev -c /etc/snort/snort.conf following the rule i am using drop tcp any any -> any any (msg: "GET Packet is not allowed";content:"GET";nocase;classtype:inappropriate-content;sid:9787879;react,msg) It is blocking & logging the message in csv log file but does not send default message or rule message to browser. Just a "connection reset" message is displayed at web browser. Even I tried lot of different options with different rule, changed sid, no msg keyword with react, snort in tap mode etc but does not work any option. I checked react.c file where default HTTP & HTML page is declared .. tried to understand code as well to see if any bug there.. Can any one help me out to display message on web browser ? Does any firewall rule is also needed or any other setting apart from snort ? Thanks in Advanced, Regards, Amul Patel -- * Thanks & Regards, Amul Patel 07875648886* -- * Thanks & Regards, Amul Patel 07875648886* -- * Thanks & Regards, Amul Patel 07875648886*-- *Thanks & Regards,Amul Patel07875648886*-- *Thanks & Regards,Amul Patel07875648886*-- *Thanks & Regards,Amul Patel07875648886*
-- *Thanks & Regards,Amul Patel07875648886*
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- help - React keyword use to display message on web browser Amul Patel (Mar 25)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 25)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 28)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 29)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 30)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 29)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
- Re: help - React keyword use to display message on web browser wkitty42 (Mar 31)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 25)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 28)