Snort mailing list archives
FW: snort black list issue
From: anton van der leun <anton () vanderleun com>
Date: Thu, 4 Aug 2016 20:36:49 +0200
Van: Anton van der Leun [mailto:anton () triple-t-services nl] Verzonden: donderdag 4 augustus 2016 20:33 Aan: snort-users () lists sourceforge net Onderwerp: RE: [Snort-users] snort black list issue Hi Hui and maybe other readers. I just found the cause of my issue… In this snort device we were using pfring (this a extra driver which main goal is to use extra cores in CPU (if available) to get a better thru-put.) Disabling and switching back to standard daq: afpacket mode solved the issue. The snort is blocking like a charm now. Many thanks for your attention in this, and for the multithread snort I will wait for snort 3.0 L cheers, anton Van: anton van der leun [mailto:anton () vanderleun com <mailto:anton () vanderleun com> ] Verzonden: woensdag 3 augustus 2016 11:48 Aan: Hui cao <huica () cisco com <mailto:huica () cisco com> >; Anton van der Leun <anton () triple-t-services nl <mailto:anton () triple-t-services nl> >; snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> CC: Alexander van der Leun <alex () triple-t-services nl <mailto:alex () triple-t-services nl> > Onderwerp: AW: AW: [Snort-users] snort black list issue Hi Hui, I studied yesterday further but I could not find if or what I am doing wrong. In my opinion a blacklist is a blacklist and everything that is described here should be blocked in a IPS. the statement: If DAQ does not support BLACKLIST verdict, it should drop the first packet. After that, packets in that session will be blocked by snort session preprocessor, not reputation. this is what is happening, howeverthe session preprocessor is not dropping. this rises 2 questions: 1. Can I configure BLACKLIST verdict in the daq module, or nee this special hardware ? (which is strange for me as most snort images are running on normal linux commodity hardware/software) 2. where or how can I configure session preprocessor to block flows that are on the blacklist ? many thanks again, anton [root@snort73]# /usr/local/bin/snort --daq-list Available DAQ modules: pcap(v3): readback live multi unpriv ipfw(v3): live inline multi unpriv dump(v3): readback live inline multi unpriv afpacket(v5): live inline multi unpriv -----Oorspronkelijk bericht----- Afzender: Hui cao <huica () cisco com <mailto:huica () cisco com> > Verstuurd: Dinsdag 2 Augustus 2016 18:24 Aan: anton van der leun <anton () vanderleun com <mailto:anton () vanderleun com> >; Anton van der Leun <anton () triple-t-services nl <mailto:anton () triple-t-services nl> >; snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Cc: Alexander van der Leun <alex () triple-t-services nl <mailto:alex () triple-t-services nl> > Onderwerp: Re: AW: [Snort-users] snort black list issue Reputation preprocessor is called after session preprocessor. You can capture traffic for that session and look at what happened with that session. There are lots of other traffic. If the DAQ you used support BLACKLIST verdict, DAQ will block the whole session, so snort will not received those packets. If DAQ does not support BLACKLIST verdict, it should drop the first packet. After that, packets in that session will be blocked by snort session preprocessor, not reputation. Best, Hui. On 08/02/2016 11:26 AM, anton van der leun wrote: Hi Hui, some more testing: Aug 2 17:33:04 snort73 snort[2834]: =============================================================================== Aug 2 17:33:04 snort73 snort[2834]: Reputation Preprocessor Statistics Aug 2 17:33:04 snort73 snort[2834]: Total Memory Allocated: 2257540 Aug 2 17:33:04 snort73 snort[2834]: Number of packets blacklisted: 9 Aug 2 17:33:04 snort73 snort[2834]: Number of packets whitelisted: 7698 Aug 2 17:33:04 snort73 snort[2834]: ========================================================================= telenet <ip blacklisted> 80 (succeeds) Aug 2 17:33:51 snort73 snort[2834]: =============================================================================== Aug 2 17:33:51 snort73 snort[2834]: Reputation Preprocessor Statistics Aug 2 17:33:51 snort73 snort[2834]: Total Memory Allocated: 2257540 Aug 2 17:33:51 snort73 snort[2834]: Number of packets blacklisted: 10 Aug 2 17:33:51 snort73 snort[2834]: Number of packets whitelisted: 7926 Aug 2 17:33:51 snort73 snort[2834]: =============================================================================== with browser to same ip address (succeeds) Aug 2 17:35:22 snort73 snort[2834]: =============================================================================== Aug 2 17:35:22 snort73 snort[2834]: Reputation Preprocessor Statistics Aug 2 17:35:22 snort73 snort[2834]: Total Memory Allocated: 2257540 Aug 2 17:35:22 snort73 snort[2834]: Number of packets blacklisted: 22 Aug 2 17:35:22 snort73 snort[2834]: Number of packets whitelisted: 8217 Aug 2 17:35:22 snort73 snort[2834]: =============================================================================== So apparantly there are some packes dropped, but not all... I can remember that when I was investigation this issue last weekend I saw a lot of retransmits. I will make a wireshark trace via a monitor port to see what is going on here and will report the outcome to you later. In my opinion I believed that the reputation processor looks first to every packet and if it was on the blacklist it will be dropped without any further processing, but I think I am wrong on this ? thanks again, anton -----Oorspronkelijk bericht----- Afzender: Hui cao <huica () cisco com> <mailto:huica () cisco com> Verstuurd: Dinsdag 2 Augustus 2016 16:42 Aan: anton van der leun <anton () vanderleun com> <mailto:anton () vanderleun com> ; Anton van der Leun <anton () triple-t-services nl> <mailto:anton () triple-t-services nl> ; snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Cc: Alexander van der Leun <alex () triple-t-services nl> <mailto:alex () triple-t-services nl> Onderwerp: Re: AW: [Snort-users] snort black list issue Hi Anton, You have packets that are whitelisted. Have you checked that either IP is not in whitelist? Do you have this defined in your rule? drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; ) Best, Hui. On 08/02/2016 10:21 AM, anton van der leun wrote: Reputation Preprocessor Statistics Total Memory Allocated: 2257540 Number of packets blacklisted: 12 Number of packets whitelisted: 333
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue Hui Cao (huica) (Aug 01)
- Message not available
- Re: snort black list issue Hui cao (Aug 02)
- <Possible follow-ups>
- Re: snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue Hui cao (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue anton van der leun (Aug 03)
- FW: snort black list issue anton van der leun (Aug 04)
- Re: snort black list issue anton van der leun (Aug 08)
- Re: snort black list issue Hui cao (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue Hui cao (Aug 02)