Re: help - React keyword use to display message on web browser

[Amul Patel <amulpatel.biz () gmail com>]

Hi Albert,

Its working only with --daq dump mode.

Can you please try once with NFQ ? There is difference  snort mode i.e. daq
type dump & nfq.
I observed Its not working for nfq.

Config NFQ setting to test:

Update firewall rule as mentioned below which will move traffic to NFQ 1
and attached is the snort conf file to work with NFQ 1.

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j NFQUEUE
--queue-num 1
iptables -t mangle -A POSTROUTING -o eth0 -p tcp --dport 80 -j NFQUEUE
--queue-num 1

now run snort with following command :   snort -c
/etc/snort/TEST_snort.conf -Q  -k none  -Acmg -H -U


now try curl to access url.

# curl google.co.in




Please check which rules get triggered.

Here I see "established" keyword rules does not hit and only rule - drop
tcp any any <> any any (msg:"NO FLOW";content:"GET";nocase;
react:msg;sid:4; ) gets triggered but no react message sent because of
connection was not established for snort.

04/01-05:16:06.414514  [Drop] [**] [1:4:0] NO FLOW [**] [Priority: 0] {TCP}
10.10.10.131:45708 -> 216.58.197.67:80
04/01-05:16:06.414514 10.10.10.131:45708 -> 216.58.197.67:80
TCP TTL:64 TOS:0x0 ID:55284 IpLen:20 DgmLen:128 DF
***AP*** Seq: 0x8A645331  Ack: 0xA37FF501  Win: 0xE5  TcpLen: 32
TCP Options (3) => NOP NOP TS: 17401029 537707313
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A  GET / HTTP/1.1..
48 6F 73 74 3A 20 67 6F 6F 67 6C 65 2E 63 6F 2E  Host: google.co.
69 6E 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  in..User-Agent:
63 75 72 6C 2F 37 2E 34 33 2E 30 0D 0A 41 63 63  curl/7.43.0..Acc
65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A              ept: */*....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Thanks,
Amul Patel


On Thu, Mar 31, 2016 at 7:59 PM, Al Lewis (allewi) <allewi () cisco com> wrote:

> Works for me.. but ONLY when inline when using the drop keyword. You can
> use -Aconsole:test to see which packet it is triggering on.
>
>
>
> [root@provare snort-2.9.8.0-build_214]# less etc/FLOW-ISSUE.conf | grep
> drop
>
> *drop tcp any any <> any any
> (msg:"FLOW";flow:from_client,established;content:"GET";nocase;
> react:msg;sid:2; )*
>
> *drop tcp any any <> any any (msg:"NO FLOW";content:"GET";nocase;
> react:msg;sid:3; )*
>
>
>
>
>
> [root@provare snort-2.9.8.0-build_214]# *./bin/snort -c
> etc/FLOW-ISSUE.conf -Q --daq dump --daq-var load-mode=read-file -r
> etc/FLOW-ISSUE.pcap -Acmg -H -U -k none -q*
>
> 03/31-13:22:02.747754  [Drop] [**] [1:3:0] NO FLOW [**] [Priority: 0]
> {TCP} 10.0.2.15:42250 -> 74.125.22.105:80
>
> 03/31-13:22:02.747754 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800
> len:0x84
>
> 10.0.2.15:42250 -> 74.125.22.105:80 TCP TTL:64 TOS:0x0 ID:5752 IpLen:20
> DgmLen:118 DF
>
> ***AP*** Seq: 0x603FBC47  Ack: 0x177002  Win: 0x7210  TcpLen: 20
>
> 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A  GET / HTTP/1.1..
>
> 55 73 65 72 2D 41 67 65 6E 74 3A 20 63 75 72 6C  User-Agent: curl
>
> 2F 37 2E 34 30 2E 30 0D 0A 48 6F 73 74 3A 20 77  /7.40.0..Host: w
>
> 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 41  ww.google.com..A
>
> 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A        ccept: */*....
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
>
>
> 03/31-13:22:02.747754  [Drop] [**] [1:2:0] FLOW [**] [Priority: 0] {TCP}
> 10.0.2.15:42250 -> 74.125.22.105:80
>
> 03/31-13:22:02.747754 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800
> len:0x84
>
> 10.0.2.15:42250 -> 74.125.22.105:80 TCP TTL:64 TOS:0x0 ID:5752 IpLen:20
> DgmLen:118 DF
>
> ***AP*** Seq: 0x603FBC47  Ack: 0x177002  Win: 0x7210  TcpLen: 20
>
> 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 31 0D 0A  GET / HTTP/1.1..
>
> 55 73 65 72 2D 41 67 65 6E 74 3A 20 63 75 72 6C  User-Agent: curl
>
> 2F 37 2E 34 30 2E 30 0D 0A 48 6F 73 74 3A 20 77  /7.40.0..Host: w
>
> 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 41  ww.google.com..A
>
> 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 0D 0A        ccept: */*....
>
>
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>
>
>
>
> [root@provare snort-2.9.8.0-build_214]# ./bin/snort -c
> etc/FLOW-ISSUE.conf -r /tmp/FLOW-ISSUE.pcap -Acmg -H -U -k none -q
>
> *[root@provare snort-2.9.8.0-build_214]# ./bin/snort -c
> etc/FLOW-ISSUE.conf -Q --daq dump --daq-var load-mode=read-file -r
> etc/FLOW-ISSUE.pcap -Aconsole:test -H -U -k none -q*
>
> *4              1              3              0              *
>
> *4              1              2              0*
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi () cisco com
>
>
>
> *From:* Amul Patel [mailto:amulpatel.biz () gmail com]
> *Sent:* Thursday, March 31, 2016 10:18 AM
> *To:* wkitty42 () windstream net; snort-users () lists sourceforge net
>
> *Subject:* Re: [Snort-users] help - React keyword use to display message
> on web browser
>
>
>
> Thanks for detail explanations..
>
> I need to clarify i.e. how and when snort rule will act on established
> connection?
>
>
>
> Such as i have rule which shuld trigger if content keyword matched and
> send message to browser.
>
> Since react will send messages to browser only if connection is
> established.
>
>
>
> But when i use flow:established then even rule does not triggered. It
> means for snort, connection is still not established otherwise rule could
> have triggered.
>
>
>
> So is there any configuration to make rule to be work with established
> connection? ?
>
>
>
> Thanks
>
> Amul Patel
>
>
>
>
>
>
>
> Sent from my Samsung device
>
>
>
> -------- Original message --------
> From: wkitty42 () windstream net
> Date: 31/03/2016 7:31 pm (GMT+05:30)
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] help - React keyword use to display message on
> web browser
>
> On 03/31/2016 09:11 AM, Amul Patel wrote:
> > Does any one know how snort know that connection is established ?
>
> a connection is seen as established when the three-way handshake has been
> completed... of course that only works for TCP connections as UDP doesn't
> handshake like that...
>
> an established connection is no longer established when one side or the
> other
> sends the initial FIN teardown request... this is a four-way pattern of
> FIN,
> ACK, FIN, ACK where the first FIN and last ACK are sent by one end of the
> connection and the two middle ones are sent by the other end...
>
> in many many cases, networks stacks drop the connection as soon as they
> send
> their FIN and they don't wait for the ACK to arrive... that can cause what
> is
> known as spurious firewall hits because the ACK is not associated with an
> established connection and gets logged and dropped since it has no where
> to be
> sent because the receiver has already shut down the connection and it not
> listening any longer...
>
> in other cases, one might send a RST to close the connection abruptly...
>
> so, two ways to teardown a TCP connection... FIN(,ACK,FIN,ACK) and RST...
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 





*Thanks & Regards,Amul Patel07875648886*

Attachment: TEST_snort.conf
Description:

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!