Snort mailing list archives
Re: help - React keyword use to display message on web browser
From: Amul Patel <amulpatel.biz () gmail com>
Date: Fri, 1 Apr 2016 10:49:57 +0530
Hi Albert, Its working only with --daq dump mode. Can you please try once with NFQ ? There is difference snort mode i.e. daq type dump & nfq. I observed Its not working for nfq. Config NFQ setting to test: Update firewall rule as mentioned below which will move traffic to NFQ 1 and attached is the snort conf file to work with NFQ 1. iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j NFQUEUE --queue-num 1 iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 80 -j NFQUEUE --queue-num 1 now run snort with following command : snort -c /etc/snort/TEST_snort.conf -Q -k none -Acmg -H -U now try curl to access url. # curl google.co.in Please check which rules get triggered. Here I see "established" keyword rules does not hit and only rule - drop tcp any any <> any any (msg:"NO FLOW";content:"GET";nocase; react:msg;sid:4; ) gets triggered but no react message sent because of connection was not established for snort. 04/01-05:16:06.414514 [Drop] [**] [1:4:0] NO FLOW [**] [Priority: 0] {TCP} 10.10.10.131:45708 -> 216.58.197.67:80 04/01-05:16:06.414514 10.10.10.131:45708 -> 216.58.197.67:80 TCP TTL:64 TOS:0x0 ID:55284 IpLen:20 DgmLen:128 DF ***AP*** Seq: 0x8A645331 Ack: 0xA37FF501 Win: 0xE5 TcpLen: 32 TCP Options (3) => NOP NOP TS: 17401029 537707313 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1.. 48 6F 73 74 3A 20 67 6F 6F 67 6C 65 2E 63 6F 2E Host: google.co. 69 6E 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 in..User-Agent: 63 75 72 6C 2F 37 2E 34 33 2E 30 0D 0A 41 63 63 curl/7.43.0..Acc 65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A ept: */*.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Thanks, Amul Patel On Thu, Mar 31, 2016 at 7:59 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
Works for me.. but ONLY when inline when using the drop keyword. You can use -Aconsole:test to see which packet it is triggering on. [root@provare snort-2.9.8.0-build_214]# less etc/FLOW-ISSUE.conf | grep drop *drop tcp any any <> any any (msg:"FLOW";flow:from_client,established;content:"GET";nocase; react:msg;sid:2; )* *drop tcp any any <> any any (msg:"NO FLOW";content:"GET";nocase; react:msg;sid:3; )* [root@provare snort-2.9.8.0-build_214]# *./bin/snort -c etc/FLOW-ISSUE.conf -Q --daq dump --daq-var load-mode=read-file -r etc/FLOW-ISSUE.pcap -Acmg -H -U -k none -q* 03/31-13:22:02.747754 [Drop] [**] [1:3:0] NO FLOW [**] [Priority: 0] {TCP} 10.0.2.15:42250 -> 74.125.22.105:80 03/31-13:22:02.747754 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800 len:0x84 10.0.2.15:42250 -> 74.125.22.105:80 TCP TTL:64 TOS:0x0 ID:5752 IpLen:20 DgmLen:118 DF ***AP*** Seq: 0x603FBC47 Ack: 0x177002 Win: 0x7210 TcpLen: 20 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 63 75 72 6C User-Agent: curl 2F 37 2E 34 30 2E 30 0D 0A 48 6F 73 74 3A 20 77 /7.40.0..Host: w 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 41 ww.google.com..A 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A ccept: */*.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/31-13:22:02.747754 [Drop] [**] [1:2:0] FLOW [**] [Priority: 0] {TCP} 10.0.2.15:42250 -> 74.125.22.105:80 03/31-13:22:02.747754 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800 len:0x84 10.0.2.15:42250 -> 74.125.22.105:80 TCP TTL:64 TOS:0x0 ID:5752 IpLen:20 DgmLen:118 DF ***AP*** Seq: 0x603FBC47 Ack: 0x177002 Win: 0x7210 TcpLen: 20 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A GET / HTTP/1.1.. 55 73 65 72 2D 41 67 65 6E 74 3A 20 63 75 72 6C User-Agent: curl 2F 37 2E 34 30 2E 30 0D 0A 48 6F 73 74 3A 20 77 /7.40.0..Host: w 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 41 ww.google.com..A 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A ccept: */*.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [root@provare snort-2.9.8.0-build_214]# ./bin/snort -c etc/FLOW-ISSUE.conf -r /tmp/FLOW-ISSUE.pcap -Acmg -H -U -k none -q *[root@provare snort-2.9.8.0-build_214]# ./bin/snort -c etc/FLOW-ISSUE.conf -Q --daq dump --daq-var load-mode=read-file -r etc/FLOW-ISSUE.pcap -Aconsole:test -H -U -k none -q* *4 1 3 0 * *4 1 2 0* Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Amul Patel [mailto:amulpatel.biz () gmail com] *Sent:* Thursday, March 31, 2016 10:18 AM *To:* wkitty42 () windstream net; snort-users () lists sourceforge net *Subject:* Re: [Snort-users] help - React keyword use to display message on web browser Thanks for detail explanations.. I need to clarify i.e. how and when snort rule will act on established connection? Such as i have rule which shuld trigger if content keyword matched and send message to browser. Since react will send messages to browser only if connection is established. But when i use flow:established then even rule does not triggered. It means for snort, connection is still not established otherwise rule could have triggered. So is there any configuration to make rule to be work with established connection? ? Thanks Amul Patel Sent from my Samsung device -------- Original message -------- From: wkitty42 () windstream net Date: 31/03/2016 7:31 pm (GMT+05:30) To: snort-users () lists sourceforge net Subject: Re: [Snort-users] help - React keyword use to display message on web browser On 03/31/2016 09:11 AM, Amul Patel wrote:Does any one know how snort know that connection is established ?a connection is seen as established when the three-way handshake has been completed... of course that only works for TCP connections as UDP doesn't handshake like that... an established connection is no longer established when one side or the other sends the initial FIN teardown request... this is a four-way pattern of FIN, ACK, FIN, ACK where the first FIN and last ACK are sent by one end of the connection and the two middle ones are sent by the other end... in many many cases, networks stacks drop the connection as soon as they send their FIN and they don't wait for the ACK to arrive... that can cause what is known as spurious firewall hits because the ACK is not associated with an established connection and gets logged and dropped since it has no where to be sent because the receiver has already shut down the connection and it not listening any longer... in other cases, one might send a RST to close the connection abruptly... so, two ways to teardown a TCP connection... FIN(,ACK,FIN,ACK) and RST... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- *Thanks & Regards,Amul Patel07875648886*
Attachment:
TEST_snort.conf
Description:
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 31)
- Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 31)