Snort mailing list archives
Alerts in alert_fast arrive out-of-order?
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Fri, 20 Jan 2017 02:11:50 +0100
My setup: $ rpm -q snort snort-2.9.9.0-1.x86_64 $ rpm -q daq-modules # comes from EPEL daq-modules-2.0.6-1.el7.x86_64 run with nfq on the destination host running a load balancer on ports BBB.BBB.BBB.BBB:80/443: snort -d -Q -l /var/log/snort -c /etc/snort/snort.conf --pid-path /var/log/snort --no-interface-pidfile -y -N This is a test machine with almost no traffic. In /var/log/snort/alert.fast, I see my test rule (similar to http://ossectools.blogspot.dk/2011/04/network-intrusion-detection-systems.html ) alert tcp any any -> any 80 (msg:"3456789"; content:"/3456789"; http_uri; classtype:not-suspicious; sid:3456789;) arriving usually at the expected intervals of 10 seconds, but other rules get logged sometimes with a large delay (though most often 3 minutes), causing the timestamps of alerts in alert_fast to become out-of-order, for example: 01/19/17-16:34:32.826474 [**] [1:3456789:0] 3456789 [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} AAA.AAA.AAA.AAA:41720 -> BBB.BBB.BBB.BBB:80 01/19/17-15:34:24.499626 [**] [1:20528:12] SERVER-APACHE Apache mod_proxy reverse proxy information disclosure attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} AAA.AAA.AAA.AAA :53494 -> BBB.BBB.BBB.BBB:443 01/19/17-15:35:04.454336 [**] [1:20528:12] SERVER-APACHE Apache mod_proxy reverse proxy information disclosure attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} AAA.AAA.AAA.AAA :53496 -> BBB.BBB.BBB.BBB:443 01/19/17-16:34:42.891249 [**] [1:3456789:0] 3456789 [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} AAA.AAA.AAA.AAA:41758 -> BBB.BBB.BBB.BBB:80 Snort reports all received packets were analyzed: Packet I/O Totals: Received: 90404 Analyzed: 90404 (100.000%) I see a similar loss of ordering when logging in unified2, and suspect my configuration is incorrect, snort.conf attached. Some questions: 1. I run snort on the destination host and direct the traffic received on BBB.BBB.BBB.BBB:80/443 (only these ports) to NFQUEUE using netfilter with connection tracking http://serverfault.com/questions/533704/why-is-iptables-rejecting-the-second-and-subsequent-fragments-of-an-allowed-pack Does usual disabling of offloading NIC capabilities https://www.snort.org/documents/possible-packet-loss-during-reassembly-for-snort-ids-ips-sensors apply to this case? 2. Does the number of ports listed in HTTP_PORTS and the preprocessors stream5_global, http_inspect_server, ssl have any influence on the performance? 3. There can be both http/https services behind the loadbalancer ports (on subsequent network subinterfaces of the interface used for NFQUEUE). Is using both 80/443 ports in both preprocessor http_inspect_server and ssl correct? Best regards, Marcin
Attachment:
snort.conf
Description:
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alerts in alert_fast arrive out-of-order? Marcin Dulak (Jan 19)
- Re: Alerts in alert_fast arrive out-of-order? Marcin Dulak (Jan 23)