Snort mailing list archives
Re: Snort unable to drop packets in inline mode
From: James Lay <jlay () slave-tothe-box net>
Date: Sun, 22 Feb 2015 07:25:38 -0700
On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:
Hi Snort-Experts, I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is unable to drop packets, despite a drop alert being generated: 02/21-14:48:11.602240 [Drop] [**] [1:1112111:1] you are blocked [**] [Priority: 0] {TCP} 192.168.10.1:53013 -> 157.166.226.25:80 -> Following rule in snort.rules file is getting triggered for the above alert log. drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev: 1;)
=============================================================================== Action Stats: Alerts: 7 ( 1.118%) Logged: 7 ( 1.118%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 231 ( 36.435%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 394 ( 62.145%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) ===============================================================================
Interestingly, Blacklist means getting dropped/blocked/not-allowed-through/whatever you want to call it. Case in point below: start line: sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k none [ Number of patterns truncated to 20 bytes: 0 ] afpacket DAQ configured to inline. Acquiring network traffic from "eth1:eth2". Reload thread starting... Reload thread started, thread 0x7f383d236700 (3419) --== Initialization Complete ==-- snort rule: drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get"; content:"index"; http_uri; sid:1000003; rev:1;) wget from remote box: [07:09:05 $] wget http://192.168.1.73/index.html --2015-02-22 07:09:44-- http://192.168.1.73/index.html Connecting to 192.168.1.73:80... connected. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers. Retrying. --2015-02-22 07:09:45-- (try: 2) http://192.168.1.73/index.html Connecting to 192.168.1.73:80... connected. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers. Retrying. --2015-02-22 07:09:47-- (try: 3) http://192.168.1.73/index.html Connecting to 192.168.1.73:80... connected. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers. Retrying. tshark on ips box: 31 2015-02-22 07:09:46.143340 192.168.1.2 -> 192.168.1.73 TCP 74 43815→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201101 TSecr=0 WS=128 32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2 TCP 74 80→43815 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=54730 TSecr=1201101 WS=16 33 2015-02-22 07:09:46.144245 192.168.1.2 -> 192.168.1.73 TCP 66 43815→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101 TSecr=54730 34 2015-02-22 07:09:46.145281 192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1 35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2 TCP 66 80→43815 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731 TSecr=1201101 36 2015-02-22 07:09:46.145893 192.168.1.2 -> 192.168.1.73 TCP 54 43815→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0 37 2015-02-22 07:09:49.147339 192.168.1.2 -> 192.168.1.73 TCP 74 43817→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201852 TSecr=0 WS=128 38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2 TCP 74 80→43817 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=55481 TSecr=1201852 WS=16 39 2015-02-22 07:09:49.148246 192.168.1.2 -> 192.168.1.73 TCP 66 43817→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852 TSecr=55481 40 2015-02-22 07:09:49.149275 192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1 41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2 TCP 66 80→43817 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482 TSecr=1201852 42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2 HTTP 557 HTTP/1.1 200 OK (text/html) 43 2015-02-22 07:09:49.151366 192.168.1.2 -> 192.168.1.73 TCP 54 43817→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0 46 2015-02-22 07:09:53.153356 192.168.1.2 -> 192.168.1.73 TCP 74 43818→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1202853 TSecr=0 WS=128 47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2 TCP 74 80→43818 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=56483 TSecr=1202853 WS=16 48 2015-02-22 07:09:53.154244 192.168.1.2 -> 192.168.1.73 TCP 66 43818→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853 TSecr=56483 49 2015-02-22 07:09:53.155285 192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1 50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2 TCP 66 80→43818 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483 TSecr=1202854 51 2015-02-22 07:09:53.155921 192.168.1.2 -> 192.168.1.73 TCP 54 43818→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0 snort result using console: 02/22-07:09:46.145218 [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43815 -> 192.168.1.73:80 02/22-07:09:49.149219 [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43817 -> 192.168.1.73:80 02/22-07:09:53.155221 [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 192.168.1.2:43818 -> 192.168.1.73:80 and lastly, snort stats after kill: =============================================================================== Packet I/O Totals: Received: 57 Analyzed: 57 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 12 <----------- injected RST I am guessing =============================================================================== =============================================================================== Action Stats: Alerts: 6 ( 10.526%) Logged: 6 ( 10.526%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 50 ( 87.719%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 7 ( 12.281%) Ignore: 0 ( 0.000%) Retry: 0 ( 0.000%) And there ya go. James
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort unable to drop packets in inline mode Rishabh Shah (Feb 21)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 22)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 22)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)
- Re: Snort unable to drop packets in inline mode Al Lewis (allewi) (Feb 23)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 25)
- Re: Snort unable to drop packets in inline mode Al Lewis (allewi) (Feb 25)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 25)
- Re: Snort unable to drop packets in inline mode Rishabh Shah (Feb 22)
- Re: Snort unable to drop packets in inline mode James Lay (Feb 22)