Snort mailing list archives

Re: snort black list issue

From: anton van der leun <anton () vanderleun com>
Date: Tue, 2 Aug 2016 19:48:21 +0200

Hello Hui



Oh that makes sense  (DAQ  BLACKLIST verdict, because that is what happening according to traces I have made:



Capture filter is:  host == 5.157.87.137

 
did some pings and some telnet to port 80 of that ip address.

tried it several times, but what I saw was almost identical:

 
icmp's are always blocked

the first tcp SYN packet is always blocked.

 
EXAMPLE :

 
icmp (always no answer)

No.     Time                       Source                Destination           Protocol Length Info
      1 2016-08-02 19:14:16.289571 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=1/256, ttl=64
      2 2016-08-02 19:14:17.288478 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=2/512, ttl=64
      3 2016-08-02 19:14:18.288477 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=3/768, ttl=64
      4 2016-08-02 19:14:19.288394 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=4/1024, ttl=64
      5 2016-08-02 19:14:20.288370 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=5/1280, ttl=64
      6 2016-08-02 19:14:21.288272 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=6/1536, ttl=64
      7 2016-08-02 19:14:22.288284 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=7/1792, ttl=64
      8 2016-08-02 19:14:23.288294 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=8/2048, ttl=64
      9 2016-08-02 19:14:24.288117 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=9/2304, ttl=64
     10 2016-08-02 19:14:25.288145 192.168.63.1          5.157.87.137          ICMP     98     Echo (ping) request  
id=0x766c, seq=10/2560, ttl=64

 
TCP to port 80:
     11 2016-08-02 19:14:29.707089 192.168.63.1          5.157.87.137          TCP      74     50492 > http [SYN] Seq=0 
Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2012244970 TSecr=0 WS=64
     12 2016-08-02 19:14:30.703724 192.168.63.1          5.157.87.137          TCP      74     50492 > http [SYN] Seq=0 
Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2012245220 TSecr=0 WS=64
     13 2016-08-02 19:14:30.722023 5.157.87.137          192.168.63.1          TCP      76     http > 50492 [SYN, ACK] 
Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=2262270742 TSecr=2012245220 WS=128
     14 2016-08-02 19:14:30.722288 192.168.63.1          5.157.87.137          TCP      66     50492 > http [ACK] Seq=1 
Ack=1 Win=14656 Len=0 TSval=2012245224 TSecr=2262270742
     15 2016-08-02 19:14:38.678712 192.168.63.1          5.157.87.137          TCP      66     50492 > http [FIN, ACK] 
Seq=1 Ack=1 Win=14656 Len=0 TSval=2012247213 TSecr=2262270742
     16 2016-08-02 19:14:38.698178 5.157.87.137          192.168.63.1          TCP      68     http > 50492 [FIN, ACK] 
Seq=1 Ack=2 Win=29056 Len=0 TSval=2262272736 TSecr=2012247213
     17 2016-08-02 19:14:38.698180 192.168.63.1          5.157.87.137          TCP      66     50492 > http [ACK] Seq=2 
Ack=2 Win=14656 Len=0 TSval=2012247218 TSecr=2262272736

 


But your statement:

If DAQ does not support BLACKLIST verdict, it should drop the first packet. After that, packets in that session will be 
blocked by snort session preprocessor, not reputation.



Why is the session preprocessor not blocking  ?  (should it look to the normlized output and take a decision on this ?, 
or should it also look in the blacklist ?



I will dig in this to see if I can explain / solve this issue.



many thanks again.





-----Oorspronkelijk bericht-----
Afzender: Hui cao <huica () cisco com>
Verstuurd: Dinsdag 2 Augustus 2016 18:24
Aan: anton van der leun <anton () vanderleun com>; Anton van der Leun <anton () triple-t-services nl>; snort-users () 
lists sourceforge net
Cc: Alexander van der Leun <alex () triple-t-services nl>
Onderwerp: Re: AW: [Snort-users] snort black list issue

 
 Reputation preprocessor is called after session preprocessor. You can capture traffic for that session and look at 
what happened with that session. There are lots of other traffic.
 
 If the DAQ you used support BLACKLIST verdict, DAQ will block the whole session, so snort will not received those 
packets.
 If DAQ does not support BLACKLIST verdict, it should drop the first packet. After that, packets in that session will 
be blocked by snort session preprocessor, not reputation.
 
 Best,
 Hui.
 
 
On 08/02/2016 11:26 AM, anton van der leun wrote:
 
 

Hi Hui,

 


 

 

some more testing:
 
 Aug  2 17:33:04 snort73 snort[2834]: ===============================================================================
 Aug  2 17:33:04 snort73 snort[2834]: Reputation Preprocessor Statistics
 Aug  2 17:33:04 snort73 snort[2834]: Total Memory Allocated: 2257540
 Aug  2 17:33:04 snort73 snort[2834]: Number of packets blacklisted: 9
 Aug  2 17:33:04 snort73 snort[2834]: Number of packets whitelisted: 7698
 Aug  2 17:33:04 snort73 snort[2834]: =========================================================================
 
 telenet <ip blacklisted> 80  (succeeds)
 
 Aug  2 17:33:51 snort73 snort[2834]: ===============================================================================
 Aug  2 17:33:51 snort73 snort[2834]: Reputation Preprocessor Statistics
 Aug  2 17:33:51 snort73 snort[2834]: Total Memory Allocated: 2257540
 Aug  2 17:33:51 snort73 snort[2834]: Number of packets blacklisted: 10
 Aug  2 17:33:51 snort73 snort[2834]: Number of packets whitelisted: 7926
 Aug  2 17:33:51 snort73 snort[2834]: ===============================================================================
 
 with browser to same ip address   (succeeds)
 
 Aug  2 17:35:22 snort73 snort[2834]: ===============================================================================
 Aug  2 17:35:22 snort73 snort[2834]: Reputation Preprocessor Statistics
 Aug  2 17:35:22 snort73 snort[2834]: Total Memory Allocated: 2257540
 Aug  2 17:35:22 snort73 snort[2834]: Number of packets blacklisted: 22
 Aug  2 17:35:22 snort73 snort[2834]: Number of packets whitelisted: 8217
 Aug  2 17:35:22 snort73 snort[2834]: ===============================================================================
 
 So apparantly there are some packes dropped, but not all...
 I can remember that when I was investigation this issue last weekend I saw a lot of retransmits.
 I will make a wireshark trace via a monitor port to see what is going on here and will report the outcome to you later.
 
 In my opinion I believed that the reputation processor looks first to every packet and if it was on the blacklist it 
will be dropped without any further processing, but I think I am wrong on this ?
 
 thanks again,
 anton
 

 


 

 


 

 -----Oorspronkelijk bericht-----
 Afzender: Hui cao <huica () cisco com>
 Verstuurd: Dinsdag 2 Augustus 2016 16:42
 Aan: anton van der leun <anton () vanderleun com>; Anton van der Leun <anton () triple-t-services nl>; snort-users () 
lists sourceforge net
 Cc: Alexander van der Leun <alex () triple-t-services nl>
 Onderwerp: Re: AW: [Snort-users] snort black list issue
 
 
 

Hi Anton,

 You have packets that are whitelisted. Have you checked that either IP is not in whitelist?
 
 Do you have this defined in your rule?
 
 drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; )
 
 Best,
 Hui.
 
On 08/02/2016 10:21 AM, anton van der leun wrote:
 
 Reputation Preprocessor Statistics
 Total Memory Allocated: 2257540
 Number of packets blacklisted: 12
 Number of packets whitelisted: 333

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue Hui Cao (huica) (Aug 01)
- Message not available
  - Re: snort black list issue Hui cao (Aug 02)
- <Possible follow-ups>
- Re: snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue anton van der leun (Aug 02)
  - Re: snort black list issue Hui cao (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue anton van der leun (Aug 03)
- FW: snort black list issue anton van der leun (Aug 04)
- Re: snort black list issue anton van der leun (Aug 08)
  - Re: snort black list issue Hui cao (Aug 02)
    - Re: snort black list issue anton van der leun (Aug 02)
    - Re: snort black list issue anton van der leun (Aug 02)