Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: Snort blocking connection but not logging the drop

From: Cody Brugh <cbrugh () gmail com>
Date: Mon, 12 May 2014 14:53:29 -0400
I just disabled the tcp normalize and cleaned up some pre-processeors that
I don't need, however I am still being dropped when trying to connect to
the API with snort ON.  Attached are the stats from a quick run where I
tried to connect 4-5 times.  Let me know if you see something or other
suggestions.

Thanks,
Cody


On Mon, May 12, 2014 at 1:05 PM, Russ Combs (rucombs) <rucombs () cisco com>wrote:



 ------------------------------
*From:* Cody Brugh [cbrugh () gmail com]
*Sent:* Monday, May 12, 2014 12:53 PM

*To:* Russ Combs (rucombs)
*Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net
*Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
logging the drop

  What all is the normalizer used for?  Will turning it off make me
vulnerable?

* The normalizer does various scrubbing and blocking to improve
detection.  You need to assess your security position with or without it.
For details on the normalizer, check here:
http://manual.snort.org/node168.html.

 Just trying to understand what that mechanism does.

 Thanks,
Cody

On May 12, 2014, at 12:02 PM, "Russ Combs (rucombs)" <rucombs () cisco com>
wrote:

  The normalizer is blocking packets:

             tcp::block: 272

You can prevent that by commenting out the normalize_tcp line from your
conf.

You can debug it a little further by enabling all preprocessor rules by
adding / uncommenting them in your conf or by adding this to your conf:

    config autogenerate_preprocessor_decoder_rules

Then you should see why the normalizer is blocking.  When I do that with
the pcap you sent I see a bad TCP reset.

 ------------------------------
*From:* Cody Brugh [cbrugh () gmail com]
*Sent:* Monday, May 12, 2014 11:52 AM
*To:* Russ Combs (rucombs)
*Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net
*Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
logging the drop

  Attached is the shutdown stats.  Let me know what you find/suggest.

Thanks,
Cody


On Mon, May 12, 2014 at 11:41 AM, Russ Combs (rucombs) <rucombs () cisco com>wrote:



 ------------------------------
*From:* Cody Brugh [cbrugh () gmail com]
*Sent:* Monday, May 12, 2014 11:18 AM

*To:* Russ Combs (rucombs)
*Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net
*Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
logging the drop

   How do I gather those stats?  Are you looking for this?
http://manual.snort.org/node20.html

 * Not those.  Do a clean start, run your traffic, and then stop Snort or
give it a usr1 signal and check the output.  Check console or syslog
depending on how you run.

 Thanks,
Cody


On Mon, May 12, 2014 at 11:05 AM, Russ Combs (rucombs) <rucombs () cisco com

wrote:



 What are your shutdown / usr1 stats?  Do they show normalizer blocks?

 ------------------------------
*From:* Cody Brugh [cbrugh () gmail com]
*Sent:* Monday, May 12, 2014 10:29 AM
*To:* Russ Combs (rucombs)
*Cc:* Joel Esler (jesler); snort-devel () lists sourceforge net

*Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
logging the drop

   Can you confirm you received my PCAP file?  I would really like to
get this issue resolved so I can work with their API.

Let me know the status please.


On Fri, May 9, 2014 at 9:02 AM, Cody Brugh <cbrugh () gmail com> wrote:


 Attached is the pcap of the stamps.com packet capture... can someone
check and see what I should do?

 Thanks,
Cody


On Fri, May 9, 2014 at 8:19 AM, Russ Combs (rucombs) <rucombs () cisco com

wrote:




 ------------------------------
*From:* Joel Esler (jesler)
*Sent:* Thursday, May 08, 2014 8:51 PM
*To:* Cody Brugh
*Cc:* snort-devel () lists sourceforge net
*Subject:* Re: [Snort-devel] Fwd: Snort blocking connection but not
logging the drop

  Can you send your configuration file, and a packet capture of the
session?

 * Can you also send your usr1 / shutdown stats?


--
Joel Esler
Sent from my iPhone

On May 8, 2014, at 20:49, "Cody Brugh" <cbrugh () gmail com> wrote:

  Hi,

 Our dev team is trying to work with stamps.com API however our
in-line snort box is blocking the return connection for unknown reasons.
When I turn off snort the connection flows perfectly.  Looking at snorby I
see no event of the connection being dropped.  I've included the command we
are running from a internal server that is behind the snort.  I also
included the tcpdump from this same server for the connection.

wget https://216.52.211.91/label/health.aspx
--2014-05-08 20:37:33--  https://216.52.211.91/label/health.aspx
Connecting to 216.52.211.91:443... connected.


20:37:33.443962 IP 10.2.2.1.52661 > 216.52.211.91.443: Flags [F.], seq
3298140140, ack 2463587275, win 8208, options [nop,nop,TS val 2824990869
ecr 3731400338], length 0
20:37:33.444478 IP 216.52.211.91.443 > 10.2.2.1.52661: Flags [R.], seq
1, ack 1, win 8208, length 0
20:37:33.989510 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [S], seq
3306929108, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val
2824990923 ecr 0], length 0
20:37:34.071548 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [S.], seq
361712399, ack 3306929109, win 4140, options [mss 1380,nop,wscale
3,nop,nop,TS val 3731482846 ecr 2824990923,sackOK,eol], length 0
20:37:34.071610 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack
1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 0
20:37:34.071750 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [P.], ack
1, win 8208, options [nop,nop,TS val 2824990932 ecr 3731482846], length 139
20:37:34.154367 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack
140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length
1368
20:37:34.154462 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack
140, win 517, options [nop,nop,TS val 3731482928 ecr 2824990932], length
1368
20:37:34.154490 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack
2737, win 7877, options [nop,nop,TS val 2824990940 ecr 3731482928], length 0

20:37:44.153373 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [R.], seq
4233:4288, ack 140, win 534, length 55

 any help or suggestions would be great, I would like to disable the
rule that is blocking this connection but like I said I cannot see which
rule blocked it.

 Thanks.



------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to
find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce

 _______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Attachment: snort_stats.txt
Description: 

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: