Issue with snort and Coldfusion

[<sdesort () gmail com>]

Hello. Please forgive me in advance as I have very little experience with snort and pfsense.

I am running snort 3.2.9.1_14 on a pfSense box we just put online. I have a Windows Coldfusion server and a MS SQL 
server running, among others, behind pfSense. I am running VRT free, GPLv2 and ET Open rules. I have quite a few rule 
categories enabled, including IIS/Coldfusion/os windows/webapp/ MSSQL, etc. Obviously these servers are part of 
$HOME_NET and are bypassed. I have not changed any of the other default snort settings after install.

With pfSense running and snort DISABLED, all is well.

I enabled snort in non-blocking mode for 3 weeks and monitored the logs and bypassed rules that appeared to be overly 
sensitive. All running well.

Last week, I enabled blocking.

Shortly thereafter, Coldfusion started misbehaving. Namely, jRun would suddenly start spawning threads, accumulating 
until jrun/java would run out of memory or stall. Killing jrun would clear the problem. This would happen without any 
common time gap. Sometimes 6 hours after a jrun restart, sometimes 30 hours. No discernable pattern.

Since jrun didn’t appear to log anything about the threads, I could only guess specific times it started by viewing the 
other Coldfusion logs to see when normal traffic logging stopped to determine an approximate time when the 
thread-buildup started. Using that info, I inspected the snort logs at various times and saw nothing at all in those 
logs that might shed light on something being blocked that would cause jrun to behave this way. I was not able to find 
any correlation between the jrun issue and a snort block that would cause this issue. And none of my internal LAN hosts 
showed up on the snort block list when the issue was in progress.

After going through this for about a week, I disabled snort blocking. jRun is happy now.

As I understand it, snort intercepts and blocks web requests BEFORE they reach their destination. For example, in a SQL 
injection rule hit, nothing in that request makes it through to the server. So I don’t see how jrun would be effected 
by such a block if no part of the http request reaches the destination when that rule is tripped. My thought was that a 
connection between the client and server was established, coldfusion was trying to run a query, but then AFTER that, 
the client was blocked, preventing the jrun thread from completing since it was cutoff from the client. But I don’t 
think that’s the case. Another possible cause for jrun threads to spool out of control is loss of communication with 
SQL. Both machines are on the same lan segment and subnet and are both bypassed in snort and pfsense. Communication 
between IIS/CF and SQL should not even be going through pfsense at all since they are on the same lan segment and 
subnet. It must be some communication between an external client and the Coldfusion server that snort is “interfering” 
with in such a way that causes this issue.

Short of disabling rule categories and re-enabling them one by one (there are so many), does anyone have any other 
thoughts on a possible cause or what other things I could do to troubleshoot? Sorry for the long-winded message… tried 
to include as much detail as possible.

Thanks

--
Scot





---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!