Snort mailing list archives
Re: snort black list issue
From: anton van der leun <anton () vanderleun com>
Date: Tue, 2 Aug 2016 19:48:21 +0200
Hello Hui Oh that makes sense (DAQ BLACKLIST verdict, because that is what happening according to traces I have made: Capture filter is: host == 5.157.87.137 did some pings and some telnet to port 80 of that ip address. tried it several times, but what I saw was almost identical: icmp's are always blocked the first tcp SYN packet is always blocked. EXAMPLE : icmp (always no answer) No. Time Source Destination Protocol Length Info 1 2016-08-02 19:14:16.289571 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=1/256, ttl=64 2 2016-08-02 19:14:17.288478 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=2/512, ttl=64 3 2016-08-02 19:14:18.288477 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=3/768, ttl=64 4 2016-08-02 19:14:19.288394 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=4/1024, ttl=64 5 2016-08-02 19:14:20.288370 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=5/1280, ttl=64 6 2016-08-02 19:14:21.288272 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=6/1536, ttl=64 7 2016-08-02 19:14:22.288284 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=7/1792, ttl=64 8 2016-08-02 19:14:23.288294 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=8/2048, ttl=64 9 2016-08-02 19:14:24.288117 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=9/2304, ttl=64 10 2016-08-02 19:14:25.288145 192.168.63.1 5.157.87.137 ICMP 98 Echo (ping) request id=0x766c, seq=10/2560, ttl=64 TCP to port 80: 11 2016-08-02 19:14:29.707089 192.168.63.1 5.157.87.137 TCP 74 50492 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2012244970 TSecr=0 WS=64 12 2016-08-02 19:14:30.703724 192.168.63.1 5.157.87.137 TCP 74 50492 > http [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2012245220 TSecr=0 WS=64 13 2016-08-02 19:14:30.722023 5.157.87.137 192.168.63.1 TCP 76 http > 50492 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=2262270742 TSecr=2012245220 WS=128 14 2016-08-02 19:14:30.722288 192.168.63.1 5.157.87.137 TCP 66 50492 > http [ACK] Seq=1 Ack=1 Win=14656 Len=0 TSval=2012245224 TSecr=2262270742 15 2016-08-02 19:14:38.678712 192.168.63.1 5.157.87.137 TCP 66 50492 > http [FIN, ACK] Seq=1 Ack=1 Win=14656 Len=0 TSval=2012247213 TSecr=2262270742 16 2016-08-02 19:14:38.698178 5.157.87.137 192.168.63.1 TCP 68 http > 50492 [FIN, ACK] Seq=1 Ack=2 Win=29056 Len=0 TSval=2262272736 TSecr=2012247213 17 2016-08-02 19:14:38.698180 192.168.63.1 5.157.87.137 TCP 66 50492 > http [ACK] Seq=2 Ack=2 Win=14656 Len=0 TSval=2012247218 TSecr=2262272736 But your statement: If DAQ does not support BLACKLIST verdict, it should drop the first packet. After that, packets in that session will be blocked by snort session preprocessor, not reputation. Why is the session preprocessor not blocking ? (should it look to the normlized output and take a decision on this ?, or should it also look in the blacklist ? I will dig in this to see if I can explain / solve this issue. many thanks again. -----Oorspronkelijk bericht----- Afzender: Hui cao <huica () cisco com> Verstuurd: Dinsdag 2 Augustus 2016 18:24 Aan: anton van der leun <anton () vanderleun com>; Anton van der Leun <anton () triple-t-services nl>; snort-users () lists sourceforge net Cc: Alexander van der Leun <alex () triple-t-services nl> Onderwerp: Re: AW: [Snort-users] snort black list issue Reputation preprocessor is called after session preprocessor. You can capture traffic for that session and look at what happened with that session. There are lots of other traffic. If the DAQ you used support BLACKLIST verdict, DAQ will block the whole session, so snort will not received those packets. If DAQ does not support BLACKLIST verdict, it should drop the first packet. After that, packets in that session will be blocked by snort session preprocessor, not reputation. Best, Hui. On 08/02/2016 11:26 AM, anton van der leun wrote: Hi Hui, some more testing: Aug 2 17:33:04 snort73 snort[2834]: =============================================================================== Aug 2 17:33:04 snort73 snort[2834]: Reputation Preprocessor Statistics Aug 2 17:33:04 snort73 snort[2834]: Total Memory Allocated: 2257540 Aug 2 17:33:04 snort73 snort[2834]: Number of packets blacklisted: 9 Aug 2 17:33:04 snort73 snort[2834]: Number of packets whitelisted: 7698 Aug 2 17:33:04 snort73 snort[2834]: ========================================================================= telenet <ip blacklisted> 80 (succeeds) Aug 2 17:33:51 snort73 snort[2834]: =============================================================================== Aug 2 17:33:51 snort73 snort[2834]: Reputation Preprocessor Statistics Aug 2 17:33:51 snort73 snort[2834]: Total Memory Allocated: 2257540 Aug 2 17:33:51 snort73 snort[2834]: Number of packets blacklisted: 10 Aug 2 17:33:51 snort73 snort[2834]: Number of packets whitelisted: 7926 Aug 2 17:33:51 snort73 snort[2834]: =============================================================================== with browser to same ip address (succeeds) Aug 2 17:35:22 snort73 snort[2834]: =============================================================================== Aug 2 17:35:22 snort73 snort[2834]: Reputation Preprocessor Statistics Aug 2 17:35:22 snort73 snort[2834]: Total Memory Allocated: 2257540 Aug 2 17:35:22 snort73 snort[2834]: Number of packets blacklisted: 22 Aug 2 17:35:22 snort73 snort[2834]: Number of packets whitelisted: 8217 Aug 2 17:35:22 snort73 snort[2834]: =============================================================================== So apparantly there are some packes dropped, but not all... I can remember that when I was investigation this issue last weekend I saw a lot of retransmits. I will make a wireshark trace via a monitor port to see what is going on here and will report the outcome to you later. In my opinion I believed that the reputation processor looks first to every packet and if it was on the blacklist it will be dropped without any further processing, but I think I am wrong on this ? thanks again, anton -----Oorspronkelijk bericht----- Afzender: Hui cao <huica () cisco com> Verstuurd: Dinsdag 2 Augustus 2016 16:42 Aan: anton van der leun <anton () vanderleun com>; Anton van der Leun <anton () triple-t-services nl>; snort-users () lists sourceforge net Cc: Alexander van der Leun <alex () triple-t-services nl> Onderwerp: Re: AW: [Snort-users] snort black list issue Hi Anton, You have packets that are whitelisted. Have you checked that either IP is not in whitelist? Do you have this defined in your rule? drop ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; ) Best, Hui. On 08/02/2016 10:21 AM, anton van der leun wrote: Reputation Preprocessor Statistics Total Memory Allocated: 2257540 Number of packets blacklisted: 12 Number of packets whitelisted: 333
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue Hui Cao (huica) (Aug 01)
- Message not available
- Re: snort black list issue Hui cao (Aug 02)
- <Possible follow-ups>
- Re: snort black list issue anton van der leun (Aug 01)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue Hui cao (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue anton van der leun (Aug 03)
- FW: snort black list issue anton van der leun (Aug 04)
- Re: snort black list issue anton van der leun (Aug 08)
- Re: snort black list issue Hui cao (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue anton van der leun (Aug 02)
- Re: snort black list issue Hui cao (Aug 02)