Snort mailing list archives

Re: Fwd: Snort blocking connection but not logging the drop

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Tue, 13 May 2014 18:18:35 +0000

________________________________
From: Cody Brugh [cbrugh () gmail com]
Sent: Tuesday, May 13, 2014 2:17 PM
To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

Russ - do you need anything else to keep this case going forward?  I assume you are opening a bug report or something 
similar?

* Don't need anything just yet.  If I need additional data or a bug is opened, I will let you know.

Thanks!

On Tue, May 13, 2014 at 10:36 AM, Cody Brugh <cbrugh () gmail com<mailto:cbrugh () gmail com>> wrote:
Attached is the info you requested.... I included tcpdump from a server successfully connecting to the API with snort 
OFF.

Also is attached is the PCAP for when snort is ON and the packet being dropped.

Let me know the next steps.

On Tue, May 13, 2014 at 10:19 AM, Cody Brugh <cbrugh () gmail com<mailto:cbrugh () gmail com>> wrote:
Quick question on the "passive mode"... we use a bypass switch that checks snort heartbeat... if I set snort to passive 
mode the bypass switch doesn't flow traffic through the snort box at all.  This means the packet captures for the 
passive mode will need ran from a server itself, is that fine?

On Tue, May 13, 2014 at 9:51 AM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 6:30 PM

To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

Ok, I disabled everything (rules, normalizations, pre-processors, dynamic rules) and still not able to connect  with 
snort in-line.

Attached is my snort.conf to make sure I got everything... At this point do you believe this is a bug?  Would the alpha 
snort version maybe work?

* Not clear what is going on, but with everything disabled, changing versions shouldn't make a difference.

Please send:

-- Snort configure line (./configure ... )
-- Snort command line
-- Snort conf
-- pcap with one successful connection while running Snort in passive mode
-- pcap with one unsuccessful connection while running Snort in inline mode
-- snort-passive.log and snort-inline.log

Based on the earlier emails, the commands to generate the logs are these:

    snort -A cmg --daq afpacket -i eth2:eth3 --daq-var buffer_size_mb=2048MB \
         -c /etc/snort/snort.conf &> snort-passive.log

    snort -A cmg --daq afpacket -i eth2:eth3 -Q --daq-var buffer_size_mb=2048MB \
        -c /etc/snort/snort.conf &> snort-inline.log

The pcaps should be captured for each of the above runs.

You can send directly to me if anything is sensitive.

Thanks
Russ

On Mon, May 12, 2014 at 6:19 PM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]

Sent: Monday, May 12, 2014 6:11 PM
To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

Would a pre-processor engine be blocking but not logging?  When you say disable things are you talking about removing 
pre-processing engines or other?

* The are two ways packets get blocked: rules and normalization.  If those aren't indicated, it could be a bug or it 
could be something else entirely, like your Snort environment.  To isolate, first disable all your rules.  Then disable 
all normalizations.  Then start disabling preprocessors.

On Mon, May 12, 2014 at 6:06 PM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 4:32 PM

To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

Running in passive mode I see no alerts/blocks for this specefic API command... Also note that the API command is 
running without a problem now that snort is in passive mode.

Something inside of snort is catching it but I cannot figure out what... would this be like a preprocessor or dynamic 
rules or something?

* If there is something in Snort blocking your session, then the output should indicate that.  At this point I would 
try disabling things systematically to isolate it.

On Mon, May 12, 2014 at 4:18 PM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 4:11 PM

To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

I now see my other alerts/drops coming in on the console, however when I run the API command I get nothing from a 
alert/drop status...  What else could be blocking it?

* The log you sent shows no blocks, so either it isn't configured the same or it isn't getting the same traffic as 
before.  Or maybe you have more than one Snort running?  In any case, the output you sent indicates Snort is not the 
problem.

What happens if you run in passive mode by just removing the -Q?  Do you get alerts?  Blocks?

On Mon, May 12, 2014 at 4:09 PM, Cody Brugh <cbrugh () gmail com<mailto:cbrugh () gmail com>> wrote:
Attached.

On Mon, May 12, 2014 at 4:05 PM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 3:59 PM

To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

Alright, I done that and run my command but see nothing... looking at the console and /var/log/messages...

/usr/local/bin/snort -M -A console -q --daq afpacket -i eth2:eth3 -Q --daq-var buffer_size_mb=2048MB -c 
/etc/snort/snort.conf

* Ok, do this and send the whole output file (snort.log) after stopping with ctl-c:

/usr/local/bin/snort -A cmg --daq afpacket -i eth2:eth3 -Q --daq-var buffer_size_mb=2048MB -c /etc/snort/snort.conf &> 
snort.log

This is very odd

On Mon, May 12, 2014 at 3:24 PM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 3:01 PM

To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

That's the thing, I don't know what rule is being hit as it doesn't show in sborby. Is there a way to show the rule 
that was triggered?  Maybe that is done with the perf monitoring stuff?

* I can't help you with Snorby.  Since this is easy for you to reproduce, I suggest running Snort from the command line 
directly, no scripts, and no -M option.  Add -A cmg -q to your command line.  You will see the alert.

On May 12, 2014, at 2:59 PM, "Russ Combs (rucombs)" <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 2:53 PM
To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

I just disabled the tcp normalize and cleaned up some pre-processeors that I don't need, however I am still being 
dropped when trying to connect to the API with snort ON.  Attached are the stats from a quick run where I tried to 
connect 4-5 times.  Let me know if you see something or other suggestions.

* You have 1 alert, 2 blocks, 1 blacklisted, and 2 injects.  I would start by changing the rule that is firing from 
drop to alert.

Thanks,
Cody

On Mon, May 12, 2014 at 1:05 PM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 12:53 PM

To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

What all is the normalizer used for?  Will turning it off make me vulnerable?

* The normalizer does various scrubbing and blocking to improve detection.  You need to assess your security position 
with or without it.  For details on the normalizer, check here:  http://manual.snort.org/node168.html.

Just trying to understand what that mechanism does.

Thanks,
Cody

On May 12, 2014, at 12:02 PM, "Russ Combs (rucombs)" <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

The normalizer is blocking packets:

             tcp::block: 272

You can prevent that by commenting out the normalize_tcp line from your conf.

You can debug it a little further by enabling all preprocessor rules by adding / uncommenting them in your conf or by 
adding this to your conf:

    config autogenerate_preprocessor_decoder_rules

Then you should see why the normalizer is blocking.  When I do that with the pcap you sent I see a bad TCP reset.

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 11:52 AM
To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

Attached is the shutdown stats.  Let me know what you find/suggest.

Thanks,
Cody

On Mon, May 12, 2014 at 11:41 AM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 11:18 AM

To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

How do I gather those stats?  Are you looking for this?  http://manual.snort.org/node20.html

* Not those.  Do a clean start, run your traffic, and then stop Snort or give it a usr1 signal and check the output.  
Check console or syslog depending on how you run.

Thanks,
Cody

On Mon, May 12, 2014 at 11:05 AM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:
What are your shutdown / usr1 stats?  Do they show normalizer blocks?

________________________________
From: Cody Brugh [cbrugh () gmail com<mailto:cbrugh () gmail com>]
Sent: Monday, May 12, 2014 10:29 AM
To: Russ Combs (rucombs)
Cc: Joel Esler (jesler); snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>

Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

Can you confirm you received my PCAP file?  I would really like to get this issue resolved so I can work with their API.

Let me know the status please.

On Fri, May 9, 2014 at 9:02 AM, Cody Brugh <cbrugh () gmail com<mailto:cbrugh () gmail com>> wrote:
Attached is the pcap of the stamps.com<http://stamps.com> packet capture... can someone check and see what I should do?

Thanks,
Cody

On Fri, May 9, 2014 at 8:19 AM, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>> wrote:

________________________________
From: Joel Esler (jesler)
Sent: Thursday, May 08, 2014 8:51 PM
To: Cody Brugh
Cc: snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>
Subject: Re: [Snort-devel] Fwd: Snort blocking connection but not logging the drop

Can you send your configuration file, and a packet capture of the session?

* Can you also send your usr1 / shutdown stats?

--
Joel Esler
Sent from my iPhone

On May 8, 2014, at 20:49, "Cody Brugh" <cbrugh () gmail com<mailto:cbrugh () gmail com>> wrote:

Hi,

Our dev team is trying to work with stamps.com<http://stamps.com> API however our in-line snort box is blocking the 
return connection for unknown reasons.  When I turn off snort the connection flows perfectly.  Looking at snorby I see 
no event of the connection being dropped.  I've included the command we are running from a internal server that is 
behind the snort.  I also included the tcpdump from this same server for the connection.

wget https://216.52.211.91/label/health.aspx
--2014-05-08 20:37:33--  https://216.52.211.91/label/health.aspx
Connecting to 216.52.211.91<tel:216.52.211.91>:443... connected.

20:37:33.443962 IP 10.2.2.1.52661 > 216.52.211.91.443: Flags [F.], seq 3298140140, ack 2463587275, win 8208, options 
[nop,nop,TS val 2824990869 ecr 3731400338], length 0
20:37:33.444478 IP 216.52.211.91.443 > 10.2.2.1.52661: Flags [R.], seq 1, ack 1, win 8208, length 0
20:37:33.989510 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [S], seq 3306929108, win 65535, options [mss 
1460,nop,wscale 3,sackOK,TS val 2824990923 ecr 0], length 0
20:37:34.071548 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [S.], seq 361712399, ack 3306929109, win 4140, options 
[mss 1380,nop,wscale 3,nop,nop,TS val 3731482846 ecr 2824990923,sackOK,eol], length 0
20:37:34.071610 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack 1, win 8208, options [nop,nop,TS val 2824990932 
ecr 3731482846], length 0
20:37:34.071750 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [P.], ack 1, win 8208, options [nop,nop,TS val 2824990932 
ecr 3731482846], length 139
20:37:34.154367 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack 140, win 517, options [nop,nop,TS val 3731482928 
ecr 2824990932], length 1368
20:37:34.154462 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [.], ack 140, win 517, options [nop,nop,TS val 3731482928 
ecr 2824990932], length 1368
20:37:34.154490 IP 10.2.2.1.59800 > 216.52.211.91.443: Flags [.], ack 2737, win 7877, options [nop,nop,TS val 
2824990940 ecr 3731482928], length 0

20:37:44.153373 IP 216.52.211.91.443 > 10.2.2.1.59800: Flags [R.], seq 4233:4288, ack 140, win 534, length 55

any help or suggestions would be great, I would like to disable the rule that is blocking this connection but like I 
said I cannot see which rule blocked it.

Thanks.

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: Fwd: Snort blocking connection but not logging the drop, (continued)
- - - Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
    - Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
    - Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
    - Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 12)
    - Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 12)
    - Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 13)
    - Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 13)
    - Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 13)
    - Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 13)
    - Re: Fwd: Snort blocking connection but not logging the drop Cody Brugh (May 13)
    - Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 13)
    - Re: Fwd: Snort blocking connection but not logging the drop Russ Combs (rucombs) (May 13)