Snort mailing list archives

Rules not triggering

From: <Gregory.Brunn () compucom com>
Date: Wed, 16 Sep 2009 05:13:35 -0500

All,

I am currently running into a problem with a sensor that is behind a
load balancer not triggering on alerts that our sensor in front of load
balancer is triggering on. 

I have been told by device owners that the load balancer does not alter
the traffic in anyway however I can not trust this information because
after doing a tcp dump the on both devices the amount of traffic that
the same crafted attack is doubled on the inside sensor.

Also I have checked using tcp dump output in hex that the content of
what I am is coming through.

Also this load balancer is trading the public ip to a private ip custom
port.

I have double checked our snort configuration I have found nothing that
might flag why this is happening.

I have double checked the rule and the specific rule and it has the
statement 

flow:to_server,established;

My thought was that because the load balancer appears to be handling the
3 way handshake and passing the traffic back to the private ips the rule
would never trigger so I wrote a customer rule and removed this
condition however the could not get the new rule to trigger.

I wanted to see if anyone else was having this problem or is it possible
that the fact the load balancer is doubling the traffic messing up the
way snort reassembles packets.

Any suggestions or help are greatly appreciated as I have spent a lot of
time on the issue.

------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rules not triggering Gregory.Brunn (Sep 16)
- Re: Rules not triggering Matt Olney (Sep 16)
  - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Rules not triggering Gregory.Brunn (Sep 16)
    - Re: Rules not triggering Joel Esler (Sep 16)
    - Re: Rules not triggering Gregory.Brunn (Sep 16)
  - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Rules not triggering Gregory.Brunn (Sep 16)
    - Re: Rules not triggering Jefferson, Shawn (Sep 16)
    - Re: Rules not triggering Gregory.Brunn (Sep 16)