Snort mailing list archives

Previous By Date Next
Previous By Thread Next

preprocessor normalize_tcp: ips ecn stream dropping SYN retransmission

From: Amm Snort <ammdispose-snort () yahoo com>
Date: Wed, 8 Aug 2012 20:18:15 +0800 (SGT)
Hello all,

I am using snort 2.9.2.3 in inline (NFQUEUE) mode and kernel 3.4.6-1.fc16.x86_64 on Fedora 16.


Everything works fine. Snort also records alerts.

I am using normalize_tcp as follows:

     preprocessor normalize_tcp: ips ecn stream



I am noticing peculiar problem. 

If, for some reason, first SYN packet is lost then snort drops all following retry-SYN packets.

This I could track using tshark (monitor port 80) and my own web server somewhere on internet.

I ran following test to find out issue:


1) Enable normalize_tcp as above and restart snort

2) Add DROP rule on webserver for port 80 i.e. it should not respond to packets on port 80
    This indirectly imitates a packet loss
3) telnet webserver 80
4) Monitor tshark
5) tshark just shows one SYN packet whereas, it should in general resend SYN every 1, 4 and 8 seconds

6) Now comment (disable) normalize_tcp rule and restart snort
7) telnet webserver 80
8) Monitor tshark
9) This time tshark shows repeated SYN packets (which is as expected)


So here I have faked the packet loss, but if in real situation then first SYN packet is lost
due to some network problem then snort never allows to send next SYN packet. (retried SYN)

And hence that connection times out eventually.

This is true for all ports not just 80. Port 80 I have just taken as example.
It also cause database connection timeouts, POP server timeouts in case first SYN was dropped.


I believe "normalize_tcp" drops retry-SYNs because they do not match first SYN packet.

So is there any work around for this? Or am I missing any configuration directive?


Please do let me know,

Thanks in advance.

Amm Snort.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: