Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort unable to drop packets in inline mode

From: Rishabh Shah <rishabh420 () gmail com>
Date: Wed, 25 Feb 2015 09:58:23 +0530
Hi Lewis,

I did a packet capture on both the interfaces, as well as on the Windows
PC(to whom the RST was destined to), but there was no RST captured
anywhere. Only inline-out.pcap showed a TCP RST.

Thanks,
Rishabh.

On Wed, Feb 25, 2015 at 12:27 AM, Al Lewis (allewi) <allewi () cisco com>
wrote:


 If you see the resets being sent in the “inline-out” most likely they
are being injected onto the wire …



Try running the capture setup to only catch reset packets



Hope this helps.



Albert Lewis

QA Software Engineer

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Rishabh Shah [mailto:rishabh420 () gmail com]
*Sent:* Tuesday, February 24, 2015 8:57 AM
*To:* Al Lewis (allewi)
*Cc:* James Lay; snort-users () lists sourceforge net

*Subject:* Re: [Snort-users] Snort unable to drop packets in inline mode



Hi Lewis/James,



I have finally got it working after making some changes in the interface
configuration.



Non working scenario:


PC(IP-1)----------(IP-2)Ubuntu(Snort)(IP-3)-----------(IP-4)Linux(gw)--------------Internet

In this case, I had assigned IP addresses to both the interface of Ubuntu,
such that IP-1 & IP-2 are in the same network. It seems snort didn't make
the bridge correctly.

@Lewis: FYI, --daq dump showed the TCP RST. But when I did a packet
capture, it didn't send it to either of the interfaces which seemed very
strange to me(a bug?).





Working Scenario:


PC(IP-1)----------Ubuntu(Snort)-----------(IP-2)Linux(gw)--------------Internet

I issued: ifconfig eth1 0.0.0.0 and ifconfig eth2 0.0.0.0. Also, I put
Linux gw(IP-2) and PC(IP-1) in the same network.



Thanks for all your time and help!



On Mon, Feb 23, 2015 at 5:46 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:

Also.. run snort with the “--daq dump” switch. That should dump a pcap
named “inline-out.pcap” of the traffic that was seen/processed. You can
look at that pcap and see if the traffic is being dropped there or not.



Albert Lewis

QA Software Engineer

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* James Lay [mailto:jlay () slave-tothe-box net]
*Sent:* Sunday, February 22, 2015 2:13 PM
*To:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] Snort unable to drop packets in inline mode



Ok....imma top post just because.  Here's what I have on my end that's
working:


   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights
reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

config line (pfring lines won't be relevant for you I am guessing):
./configure --enable-non-ether-decoders --enable-sourcefire
--enable-shared-rep --enable-control-socket
--with-libpcap-includes=/opt/pfring/include
--with-libpcap-libraries=/opt/pfring/lib
--with-libpfring-includes=/opt/pfring/include
--with-libpfring-libraries=/opt/pfring/lib --enable-open-appid

I can't imagine that this would make a difference, but per the README in
the daq src:

AFPACKET Module
===============

afpacket functions similar to the pcap DAQ but with better performance:

    ./snort --daq afpacket -i <device>
            [--daq-var buffer_size_mb=<#MB>]
            [--daq-var debug]

If you want to run afpacket in inline mode, you must craft the device
string as
one or more interface pairs, where each member of a pair is separated by a
single colon and each pair is separated by a double colon like this:

I do see in your start that you specify interfaces first, then afpacket
second, so reverse that to:

sudo snort -c /etc/snort/snort.conf -Q --daq afpacket -i eth1:eth0 -k none
-A fast

I would also try --daq-var debug if you still get things allowed after
trying the above.  This test box is Ubuntu 14.04.2 LTS, so we are pretty
much running the same thing.  Lastly, although seeing the wget session
helps, try and get an actual packet capture...it will help.

James

On Sun, 2015-02-22 at 23:02 +0530, Rishabh Shah wrote:

Hi James,



 Yes, I do have a capture on my Windows 7 PC which is sitting behind
Snort(linux).



 -> Snort command used:

 snort -c /etc/snort/snort.conf -Q -i eth1:eth0 --daq afpacket -k none -A
fast





 -> Traffic from Windows 7 pc:



 %wget cnn.com

 --2015-02-22 22:54:36--  http://cnn.com/

 Resolving cnn.com (cnn.com)... 157.166.226.26, 157.166.226.25

 Connecting to cnn.com (cnn.com)|157.166.226.26|:80... connected.

 HTTP request sent, awaiting response... 301 Moved Permanently

 Location: http://www.cnn.com/ [following]

 --2015-02-22 22:54:37--  http://www.cnn.com/

 Resolving www.cnn.com (www.cnn.com)... 103.245.222.185

 Connecting to www.cnn.com (www.cnn.com)|103.245.222.185|:80...
connected.

 HTTP request sent, awaiting response... 302 Found

 Location: http://edition.cnn.com/ [following]

 --2015-02-22 22:54:38--  http://edition.cnn.com/

 Resolving edition.cnn.com (edition.cnn.com)... 103.245.222.185

 Reusing existing connection to www.cnn.com:80.

 *HTTP request sent, awaiting response... 200 OK*

 Length: 214393 (209K) [text/html]

 Saving to: ‘index.html.6’



 100%[================================================================================>]
214,393      321KB/s   in 0.7s



 2015-02-22 22:54:39 (321 KB/s) - ‘index.html.6’ saved [214393/214393]





 Alert on Snort:

 *02/22-22:54:36.628789  [Drop] [**] [1:1112111:1] you are blocked [**]
[Priority: 0] {TCP} 192.168.10.1:54980 <http://192.168.10.1:54980> ->
103.245.222.185:80 <http://103.245.222.185:80>*







 On Sun, Feb 22, 2015 at 9:29 PM, James Lay <jlay () slave-tothe-box net>
wrote:

 On Sun, 2015-02-22 at 20:47 +0530, Rishabh Shah wrote:

Hi James,


Thanks for looking in to this. In your case, the HTTP request is getting
blocked by snort. But the same is not happening in my case. Any other
command output that could help you figure out this issue?

On Sun, Feb 22, 2015 at 7:55 PM, James Lay <jlay () slave-tothe-box net>
wrote:

On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:

Hi Snort-Experts,


I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is unable
to drop packets, despite a drop alert being generated:
02/21-14:48:11.602240  [Drop] [**] [1:1112111:1] you are blocked [**]
[Priority: 0] {TCP} 192.168.10.1:53013 -> 157.166.226.25:80
<http://157.166.226.25/>


-> Following rule in snort.rules file is getting triggered for the above
alert log.
drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev: 1;)





===============================================================================
Action Stats:
     Alerts:            7 (  1.118%)
     Logged:            7 (  1.118%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          231 ( 36.435%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
*  Blacklist:          394 ( 62.145%)*
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)

===============================================================================


Interestingly, Blacklist means getting
dropped/blocked/not-allowed-through/whatever you want to call it.  Case in
point below:

start line:
sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k none

[ Number of patterns truncated to 20 bytes: 0 ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth1:eth2".
Reload thread starting...
Reload thread started, thread 0x7f383d236700 (3419)

        --== Initialization Complete ==--

snort rule:
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get";
content:"index"; http_uri; sid:1000003; rev:1;)

wget from remote box:
[07:09:05 $] wget http://192.168.1.73/index.html
--2015-02-22 07:09:44--  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by
peer) in headers.
Retrying.

--2015-02-22 07:09:45--  (try: 2)  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by
peer) in headers.
Retrying.

--2015-02-22 07:09:47--  (try: 3)  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by
peer) in headers.
Retrying.

tshark on ips box:
31 2015-02-22 07:09:46.143340  192.168.1.2 -> 192.168.1.73 TCP 74 43815→80
[SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201101 TSecr=0
WS=128
32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2  TCP 74 80→43815
[SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=54730
TSecr=1201101 WS=16
33 2015-02-22 07:09:46.144245  192.168.1.2 -> 192.168.1.73 TCP 66 43815→80
[ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201101 TSecr=54730
34 2015-02-22 07:09:46.145281  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
/index.html HTTP/1.1
35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2  TCP 66 80→43815
[ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=54731 TSecr=1201101
36 2015-02-22 07:09:46.145893  192.168.1.2 -> 192.168.1.73 TCP 54 43815→80
[RST, ACK] Seq=121 Ack=1 Win=0 Len=0
37 2015-02-22 07:09:49.147339  192.168.1.2 -> 192.168.1.73 TCP 74 43817→80
[SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1201852 TSecr=0
WS=128
38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2  TCP 74 80→43817
[SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=55481
TSecr=1201852 WS=16
39 2015-02-22 07:09:49.148246  192.168.1.2 -> 192.168.1.73 TCP 66 43817→80
[ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1201852 TSecr=55481
40 2015-02-22 07:09:49.149275  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
/index.html HTTP/1.1
41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2  TCP 66 80→43817
[ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=55482 TSecr=1201852
42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2  HTTP 557
HTTP/1.1 200 OK  (text/html)
43 2015-02-22 07:09:49.151366  192.168.1.2 -> 192.168.1.73 TCP 54 43817→80
[RST, ACK] Seq=121 Ack=1 Win=0 Len=0
46 2015-02-22 07:09:53.153356  192.168.1.2 -> 192.168.1.73 TCP 74 43818→80
[SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1202853 TSecr=0
WS=128
47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2  TCP 74 80→43818
[SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=56483
TSecr=1202853 WS=16
48 2015-02-22 07:09:53.154244  192.168.1.2 -> 192.168.1.73 TCP 66 43818→80
[ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=1202853 TSecr=56483
49 2015-02-22 07:09:53.155285  192.168.1.2 -> 192.168.1.73 HTTP 186 GET
/index.html HTTP/1.1
50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2  TCP 66 80→43818
[ACK] Seq=1 Ack=121 Win=14480 Len=0 TSval=56483 TSecr=1202854
51 2015-02-22 07:09:53.155921  192.168.1.2 -> 192.168.1.73 TCP 54 43818→80
[RST, ACK] Seq=121 Ack=1 Win=0 Len=0

snort result using console:
02/22-07:09:46.145218  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.2:43815 -> 192.168.1.73:80
02/22-07:09:49.149219  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.2:43817 -> 192.168.1.73:80
02/22-07:09:53.155221  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get
[**] [Priority: 0] {TCP} 192.168.1.2:43818 -> 192.168.1.73:80

and lastly, snort stats after kill:

===============================================================================
Packet I/O Totals:
   Received:           57
   Analyzed:           57 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           12                  <----------- injected RST I am
guessing

===============================================================================


===============================================================================
Action Stats:
     Alerts:            6 ( 10.526%)
     Logged:            6 ( 10.526%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:           50 ( 87.719%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            7 ( 12.281%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)

And there ya go.

James


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





--
Regards,
Rishabh Shah.



------------------------------------------------------------------------------

Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server

from Actuate! Instantly Supercharge Your Business Reports and Dashboards

with Interactivity, Sharing, Native Excel Exports, App Integration & more

Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!



  Rishabh,

How are you confirming that this isn't getting
dropped/blocked/blacklisted?  Do you have a capture, or can you capture on
the IPS to see what the traffic is looking like?

James



------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





 --

 Regards,

 Rishabh Shah.



------------------------------------------------------------------------------

Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server

from Actuate! Instantly Supercharge Your Business Reports and Dashboards

with Interactivity, Sharing, Native Excel Exports, App Integration & more

Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!





------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





--

Regards,

Rishabh Shah.





-- 
Regards,
Rishabh Shah.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: