Re: Snort unable to drop packets in inline mode

[James Lay <jlay () slave-tothe-box net>]

On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:
> Hi Snort-Experts,
>
>
>
> I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is
> unable to drop packets, despite a drop alert being generated:
> 02/21-14:48:11.602240  [Drop] [**] [1:1112111:1] you are blocked [**]
> [Priority: 0] {TCP} 192.168.10.1:53013 -> 157.166.226.25:80
>
>
> -> Following rule in snort.rules file is getting triggered for the
> above alert log.
> drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev:
> 1;)

> ===============================================================================
> Action Stats:
>      Alerts:            7 (  1.118%)
>      Logged:            7 (  1.118%)
>      Passed:            0 (  0.000%)
> Limits:
>       Match:            0
>       Queue:            0
>         Log:            0
>       Event:            0
>       Alert:            0
> Verdicts:
>       Allow:          231 ( 36.435%)
>       Block:            0 (  0.000%)
>     Replace:            0 (  0.000%)
>   Whitelist:            0 (  0.000%)
>   Blacklist:          394 ( 62.145%)
>      Ignore:            0 (  0.000%)
>       Retry:            0 (  0.000%)
> ===============================================================================


Interestingly, Blacklist means getting
dropped/blocked/not-allowed-through/whatever you want to call it.  Case
in point below:

start line:
sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k
none

[ Number of patterns truncated to 20 bytes: 0 ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth1:eth2".
Reload thread starting...
Reload thread started, thread 0x7f383d236700 (3419)

        --== Initialization Complete ==--

snort rule:
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
content:"index"; http_uri; sid:1000003; rev:1;)

wget from remote box:
[07:09:05 $] wget http://192.168.1.73/index.html
--2015-02-22 07:09:44--  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by
peer) in headers.
Retrying.

--2015-02-22 07:09:45--  (try: 2)  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by
peer) in headers.
Retrying.

--2015-02-22 07:09:47--  (try: 3)  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by
peer) in headers.
Retrying.

tshark on ips box:
 31 2015-02-22 07:09:46.143340  192.168.1.2 -> 192.168.1.73 TCP 74
43815→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201101
TSecr=0 WS=128
 32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2  TCP 74
80→43815 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1
TSval=54730 TSecr=1201101 WS=16
 33 2015-02-22 07:09:46.144245  192.168.1.2 -> 192.168.1.73 TCP 66
43815→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101 TSecr=54730
 34 2015-02-22 07:09:46.145281  192.168.1.2 -> 192.168.1.73 HTTP 186
GET /index.html HTTP/1.1 
 35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2  TCP 66
80→43815 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731 TSecr=1201101
 36 2015-02-22 07:09:46.145893  192.168.1.2 -> 192.168.1.73 TCP 54
43815→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
 37 2015-02-22 07:09:49.147339  192.168.1.2 -> 192.168.1.73 TCP 74
43817→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201852
TSecr=0 WS=128
 38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2  TCP 74
80→43817 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1
TSval=55481 TSecr=1201852 WS=16
 39 2015-02-22 07:09:49.148246  192.168.1.2 -> 192.168.1.73 TCP 66
43817→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852 TSecr=55481
 40 2015-02-22 07:09:49.149275  192.168.1.2 -> 192.168.1.73 HTTP 186
GET /index.html HTTP/1.1 
 41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2  TCP 66
80→43817 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482 TSecr=1201852
 42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2  HTTP 557
HTTP/1.1 200 OK  (text/html)
 43 2015-02-22 07:09:49.151366  192.168.1.2 -> 192.168.1.73 TCP 54
43817→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
 46 2015-02-22 07:09:53.153356  192.168.1.2 -> 192.168.1.73 TCP 74
43818→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1202853
TSecr=0 WS=128
 47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2  TCP 74
80→43818 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1
TSval=56483 TSecr=1202853 WS=16
 48 2015-02-22 07:09:53.154244  192.168.1.2 -> 192.168.1.73 TCP 66
43818→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853 TSecr=56483
 49 2015-02-22 07:09:53.155285  192.168.1.2 -> 192.168.1.73 HTTP 186
GET /index.html HTTP/1.1 
 50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2  TCP 66
80→43818 [ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483 TSecr=1202854
 51 2015-02-22 07:09:53.155921  192.168.1.2 -> 192.168.1.73 TCP 54
43818→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0

snort result using console:
02/22-07:09:46.145218  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.2:43815 -> 192.168.1.73:80
02/22-07:09:49.149219  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.2:43817 -> 192.168.1.73:80
02/22-07:09:53.155221  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.2:43818 -> 192.168.1.73:80

and lastly, snort stats after kill:
===============================================================================
Packet I/O Totals:
   Received:           57
   Analyzed:           57 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           12                  <----------- injected RST I
am guessing
===============================================================================

===============================================================================
Action Stats:
     Alerts:            6 ( 10.526%)
     Logged:            6 ( 10.526%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:           50 ( 87.719%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            7 ( 12.281%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)

And there ya go.

James

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!