Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: help - React keyword use to display message on web browser

From: Amul Patel <amulpatel.biz () gmail com>
Date: Thu, 31 Mar 2016 18:41:48 +0530
Hello Team,

Looks flow:established; keyword is not triggering rule.


drop tcp any any <> any any (msg:"Test_snort_react_msg";
flow:from_client,established;content:"GET";nocase; react:msg;sid:2; )

i think if above rule work fine with keyword
flow:from_client,established;content:"
then issue should get resolved.

But snort is not treating connection as established when above rule is
written and curl command execute successful without hitting the rule.

# curl google.co.in
<HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.co.in/";>here</A>.
</BODY></HTML>
#

Looks issue is with ";flow:from_client,established". Does any one know how
snort know that connection is established ?

Thanks,
Amul Patel



On Thu, Mar 31, 2016 at 3:10 PM, Amul Patel <amulpatel.biz () gmail com> wrote:


Hello Team,

After debugging I see  that if (p->packet_flags &
PKT_STREAM_EST)  condition was failed when I use NFQ with inline.

I see packet_flags is set to PKT_STREAM_UNEST_UNI in file
Stream6/stream_common.c instead of PKT_STREAM_EST so result is  if
condition was failed.
and if condition  if (p->packet_flags & PKT_STREAM_EST) in
detection-plugins/sp_react.c was failed.

why PKT_STREAM_EST is not set when following rule is used??
drop tcp any any <> any any
(msg:"Test_snort_react_msg";content:"GET";nocase; react:msg;sid:2; )

why following rule does not hit when we GET keyword is used along with
flow:from_client,established; ??
drop tcp any any <> any any
(msg:"Test_snort_react_msg";flow:from_client,established;content:"GET";nocase;
react:msg;sid:2; )

To test I just commented if condtion and I see its working and sending
message to client.
but still i dont see it on browser (its receive on machine and can be see
in wireshark) because in response because source port is changed from 80 to
1(tcpmux) hence browser do not displayed message (due to wrong source port)
this workaround can not be used.

default HTML working logs for reference:

# curl google.co.in
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
    "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Access Denied</title>
</head>
<body>
<h1>Access Denied</h1>
<p>You are attempting to access a forbidden site.<br />Consult your system
administrator for details.</p>
</body>
</html>
#

Thanks,
Amul Patel

On Tue, Mar 29, 2016 at 6:54 PM, Amul Patel <amulpatel.biz () gmail com>
wrote:


Hi  Albert,

updates on --daq dump usage.

This is working only with given TEST.pcap file and i can see
inline-out.pcap i.e. data source from pcap file.

i.e. command - ./snort -c /etc/snort/TEST.conf --daq-dir=/usr/lib/daq -Q
--daq dump --daq-var load-mode=read-file -r /etc/snort/TEST.pcap -l. -k
none

but if i use  --daq dump  with NFQ in inline mode with TEST_snort.conf
then rule does not hit and I don't see any useful info even wget
communication in  inline-out.pcap.

please note that TEST.conf is updated one i.e. TEST_snort.conf which i
modify accordingly.

Below command take input data source from NFQ and dump  inline-out.pcap.
The problem with this config that  communication is blocked in snort and
packet does not flow from snort.

I guess mentioned  command is correct to dump  inline-out.pcap with NFQ
data source in inline mode:

./snort -c /etc/snort/TEST.conf --daq-dir=/usr/lib/daq -Q --daq dump  -k
none

Thanks,
Amul Patel



On Tue, Mar 29, 2016 at 5:50 PM, Amul Patel <amulpatel.biz () gmail com>
wrote:


Hi Albert,

Attached is the TEST_snort.conf which i modified which one you shared. I
have updated conf for NFQ & other output plugin.
Since I am using linux machine so changed polity to linux.

preprocessor stream5_tcp: \
    policy linux, \

Snort is dumping tcpdump logs to following location as configured in
conf file.
output log_tcpdump: /amul/snort_tcp_dump.pcap

rule :

alert tcp any any -> any any (msg:"Test_snort_react_msg";react:
msg;sid:100000002; )

following rule does not hit when i use http request using wget.
alert tcp any any -> any any
(msg:"Test_snort_react_msg";flow:to_client,established;react:
msg;sid:100000002; )


There are other rules in conf file which are commented for test purpose.

following command is using to run snort:

/usr/bin/snort   -Q -k none -dev -c /etc/snort/TEST.conf

To test I am downloading test file with wget command so that snort rule
should be hit. and rule is working as its blocking the downloading.
If we change rule then it also send tcp rest instead of connection
refused.

 amul# wget -O /dev/null http://cachefly.cachefly.net/1mb.test
Connecting to cachefly.cachefly.net (205.234.175.175:80)
wget: can't connect to remote host (205.234.175.175): Connection refused
amul#

alert.csv logs
03/29-17:32:13.477947
,1,100000002,0,"Test_snort_react_msg",TCP,10.10.10.131,55888,205.234.175.175,80,,,,******S*,0x2602A84B,0x0,,0x7210,64,0,62121,60,61440,,,,

snort_tcp_dump.pcap.1459253369 is the tcpdump created by snort.(only SYN
packet can be see.. )

I am attaching anther snippet GetPacketNotSent.jpg which is captured for
another react rule and i see that rule works file as it block the wget but
i dont see HTTP /GET frame (blocked by snort ) in tcpdump which should be
there post to tcp connetion..and seems because of this react response is
not working.
rule used:
drop tcp any any -> any any
(msg:"Test_snort_react_msg";content:"GET";nocase;react: msg;sid:1; )

Hope this information will be useful to you.

Thanks,
Amul Patel

On Tue, Mar 29, 2016 at 4:02 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:


If you are getting the page in the inline.out when using --daq dump and
not on your network there maybe something wrong with your
setup/configuration.



You may want to focus on getting an alert first if your rule doesn’t
work. Output to the console first then try writing to the logs, then to csv
etc..



If you can, please provide a sample pcap/conf that doesn’t work.



Thanks.



Albert Lewis

QA Software Engineer

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Amul Patel [mailto:amulpatel.biz () gmail com]
*Sent:* Tuesday, March 29, 2016 2:33 AM

*To:* Al Lewis (allewi)
*Cc:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] help - React keyword use to display
message on web browser



Hi Albert,



I tried with inline mode but do not get success and never see react
response in tcpdump.



Even I used given TEST.conf and update with my single rule.



If you have set up then can you please check once in inline mode and
block any content in rule as i did given rule.

In this case does you get react response?



rule for the reference : drop tcp any any -> any any (msg: "GET Packet
is not allowed";content:"GET";nocase;sid:1;react:msg;)



if use flow keyword with established as below then even rule does not
hit.

I have configure csv out put to check rule hits or not where i can see
logs.



alert tcp any any -> any any
(msg:"PATEL";flow:to_server,,established;content:"GET";nocase;react:
msg;sid:1; )



It seems rule need to be changed as GET packet does not appear in tcp
dump if we block GET content.



Thanks,

Amul Patel







On Mon, Mar 28, 2016 at 5:59 PM, Amul Patel <amulpatel.biz () gmail com>
wrote:

Thanks a lot Albert for providing samples to understand.



I used the given files & executed in my system and I can see the HTML
response in inline-out.pcap successfully.



Now i am trying to debug with my conf file with NFQ. I will keep update
you on the same.



PS :



I was using correct rule but by mistake i paste the rule which has
comma. Thansk for informing.



I am using following correct rule only.

drop tcp any any -> any any (msg: "GET Packet is not
allowed";content:"GET";nocase;classtype:inappropriate-content;sid:9787879;
*react:msg*)



On Mon, Mar 28, 2016 at 4:20 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:

Sure.



Inline-out.pcap is attached as well as the example I used to get the
page to generate.



I ran it with:



./bin/snort -c etc/TEST.conf -Q --daq dump --daq-var
load-mode=read-file -r etc/TEST.pcap -l. -k none -q





Try this and see if you can get the page to generate.





Albert Lewis

QA Software Engineer

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Amul Patel [mailto:amulpatel.biz () gmail com]
*Sent:* Monday, March 28, 2016 3:32 AM
*To:* Al Lewis (allewi)
*Cc:* snort-users () lists sourceforge net
*Subject:* Re: [Snort-users] help - React keyword use to display
message on web browser



Thanks Albert quick update,



I am using NFQ as data packet source & already check parallel  tcpdump
command on given interface and generated .pcap file.



I opened pcap in wire-shark tool but I did not see any packet related
to message on pcap file.

It seems snort is not sending message.



Do you have any sample pcap file which show the message is sent by
snort for the reference ?



Thanks ,

Amul Patel







On Fri, Mar 25, 2016 at 6:04 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:

Hello,



Try running snort with “--daq dump --daq-var load-mode=read-file -Q” so
it will dump a file “inline-out.pcap”.



You can check that file to see if the page is being sent. That should
tell you if there is something wrong with the config or network related.







Albert Lewis

QA Software Engineer

SOURCE*fire*, Inc. now part of *Cisco*

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com



*From:* Amul Patel [mailto:amulpatel.biz () gmail com]
*Sent:* Friday, March 25, 2016 5:59 AM
*To:* snort-users () lists sourceforge net
*Subject:* [Snort-users] help - React keyword use to display message
on web browser



Hello Team,



I need help to use of react keyword to display message (default or user
defined) to web browser.



I am using snort version 2.9.8.0 in linux machine.



I have enabled required command option during configuration as
mentioned below:



./configure  --enable-active-response --enable-react --enable-flexresp3
\



I am executing snort as inline mode -



/usr/bin/snort -Q -k  none  -v -dev -c /etc/snort/snort.conf



following the rule i am using



drop tcp any any -> any any (msg: "GET Packet is not
allowed";content:"GET";nocase;classtype:inappropriate-content;sid:9787879;react,msg)



It is blocking & logging the message in csv log file but does not send
default message or rule message to browser.

Just a "connection reset" message is displayed at web browser.



Even I tried lot of different options with different rule, changed sid,
no msg keyword with react, snort in tap mode etc but does not work any
option.



I checked react.c file where default HTTP & HTML page is declared ..
tried to understand code as well to see if any bug there..



Can any one help me out to display message on web browser ?

Does any firewall rule is also needed or any other setting apart from
snort ?





Thanks in Advanced,

Regards,

Amul Patel





--






* Thanks & Regards, Amul Patel 07875648886*





--






* Thanks & Regards, Amul Patel 07875648886*





--






* Thanks & Regards, Amul Patel 07875648886*





--





*Thanks & Regards,Amul Patel07875648886*





--





*Thanks & Regards,Amul Patel07875648886*





--





*Thanks & Regards,Amul Patel07875648886*





-- 





*Thanks & Regards,Amul Patel07875648886*

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: