Re: Rules not triggering

[<Gregory.Brunn () compucom com>]

Hey,

In the snort.conf file it says please note [80,8080] does not work.  Also it says that Portlist must be continuous.  

I tried to take this out of the equation by writing a rule with any port however the rule did not fire. 

Thank you for all your help and please let me know if there is anything else I can do to troubleshoot the issue.

-Greg

-----Original Message-----
From: Matt Olney [mailto:molney () sourcefire com] 
Sent: Wednesday, September 16, 2009 9:57 AM
To: Brunn, Gregory (gbrunn)
Cc: OBrien, Loren (lobrien)
Subject: Re: [Snort-users] Rules not triggering

Don't do that.

On Wed, Sep 16, 2009 at 8:52 AM,  <Gregory.Brunn () compucom com> wrote:
> Sorry the verison is 2.6
>
> -----Original Message-----
> From: Matt Olney [mailto:molney () sourcefire com]
> Sent: Wednesday, September 16, 2009 9:17 AM
> To: Brunn, Gregory (gbrunn)
> Cc: OBrien, Loren (lobrien)
> Subject: Re: [Snort-users] Rules not triggering
>
> If I'm reading your email correctly, item #2 may be your issue.  You 
> have to define all of your HTTP_PORTS on a single line.  Below are two 
> separate configuration examples.  The first defines two ports (80 and
> 80808) and the second defines a single port (80) and a port range (those ports from 8000 to 8080 inclusive).  Make 
> sure your HTTP_PORTS directive is correctly formatted.
>
> ## portvar HTTP_PORTS [80,8080]
> ## portvar HTTP_PORTS [80,8000:8080]
>
> Also, if you give me the SID number you're looking at, I might be able to check some additional things.
>
> Matt Olney
>
> On Wed, Sep 16, 2009 at 8:09 AM,  <Gregory.Brunn () compucom com> wrote:
> > Thanks for the information.
> >
> > 1) I have yet to verify this however the customer rule would have 
> > triggered if I removed the connection established statement correct.
> >
> > 2) The custom port is defined in HTTP_PORTS.  The HOME_NET and 
> > EXTERNAL_NET are set to ANY ANY. Should this be changed? What is 
> > correct way to define custom http_ports in v. 2.
> > 8 is one after eachother correct?
> >
> > Ex.
> > HTTP_PORTS XXX
> > HTTP_PORTS XXXX
> >
> > 3) I have verified that the traffic is being seen on the backend 
> > sensor and that the actually content is in the payload, however the 
> > rule does not triger.  This is the only reason I am thinking that the 
> > reassembly maybe the source.
> >
> > Is there anyway to actually troubleshoot snorts stream reassembly.
> >
> > Thank you very much for all your help and I am a huge fan of snort.
> >
> > -----Original Message-----
> > From: Matt Olney [mailto:molney () sourcefire com]
> > Sent: Wednesday, September 16, 2009 8:08 AM
> > To: Brunn, Gregory (gbrunn)
> > Cc: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] Rules not triggering
> >
> > Two things:
> >
> > 1)  Even though the load balancer may be handling "A" 3-way handshake 
> > on the front end, a 3-way handshake still has to occur to the server 
> > in the back.  A web server, for example, still needs to see an 
> > established tcp connection on a listening port before it will reply.
> >
> > 2)  "private ip custom port" gets my attention, as most Snort rules 
> > are port specific.  If your load balancer is passing web traffic to 
> > port 2090 and you haven't modified your HTTP_PORTS variable then 
> > you'll miss the traffic.  You might also want to ensure that your 
> > HOME_NET and EXTERNAL_NET variables are set correctly for the backend environment.
> >
> > 3)  The stream reassembly issue is something to think about, but most 
> > likely this is not a concern.  The load balancer installations I've 
> > seen pass a complete tcp session across to one server, so your back 
> > end sensor should still see what it needs to see.
> >
> > After all of that, I'd do a pcap on the snort sensor itself looking 
> > at the traffic.  This should answer most of the questions you have.
> >
> > Matt Olney
> >
> > On Wed, Sep 16, 2009 at 6:13 AM,  <Gregory.Brunn () compucom com> wrote:
> > > All,
> > >
> > > I am currently running into a problem with a sensor that is behind a 
> > > load balancer not triggering on alerts that our sensor in front of 
> > > load balancer is triggering on.
> > >
> > > I have been told by device owners that the load balancer does not 
> > > alter the traffic in anyway however I can not trust this information 
> > > because after doing a tcp dump the on both devices the amount of 
> > > traffic that the same crafted attack is doubled on the inside sensor.
> > >
> > > Also I have checked using tcp dump output in hex that the content of 
> > > what I am is coming through.
> > >
> > > Also this load balancer is trading the public ip to a private ip 
> > > custom port.
> > >
> > > I have double checked our snort configuration I have found nothing 
> > > that might flag why this is happening.
> > >
> > > I have double checked the rule and the specific rule and it has the 
> > > statement
> > >
> > > flow:to_server,established;
> > >
> > > My thought was that because the load balancer appears to be handling 
> > > the 3 way handshake and passing the traffic back to the private ips 
> > > the rule would never trigger so I wrote a customer rule and removed 
> > > this condition however the could not get the new rule to trigger.
> > >
> > > I wanted to see if anyone else was having this problem or is it 
> > > possible that the fact the load balancer is doubling the traffic 
> > > messing up the way snort reassembles packets.
> > >
> > > Any suggestions or help are greatly appreciated as I have spent a 
> > > lot of time on the issue.
> > >
> > > --------------------------------------------------------------------
> > > -
> > > -
> > > -------- Come build with us! The BlackBerry&reg; Developer 
> > > Conference in SF, CA is the only developer event you need to attend this year.
> > > Jumpstart your developing skills, take BlackBerry mobile 
> > > applications to market and stay ahead of the curve. Join us from 
> > > November 9&#45;12,
> >
> > > 2009. Register now&#33; http://p.sf.net/sfu/devconf 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > ---------------------------------------------------------------------
> > -
> > --
> > ------
> > Come build with us! The BlackBerry&reg; Developer Conference in SF, 
> > CA is the only developer event you need to attend this year. 
> > Jumpstart your developing skills, take BlackBerry mobile applications 
> > to market and stay ahead of the curve. Join us from November 9&#45;12, 2009.
> > Register now&#33; http://p.sf.net/sfu/devconf 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users





------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users