Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort unable to drop packets in inline mode

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Mon, 23 Feb 2015 12:16:21 +0000
Also.. run snort with the “--daq dump” switch. That should dump a pcap named “inline-out.pcap” of the traffic that was 
seen/processed. You can look at that pcap and see if the traffic is being dropped there or not.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Sunday, February 22, 2015 2:13 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort unable to drop packets in inline mode

Ok....imma top post just because.  Here's what I have on my end that's working:


   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.8

snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

config line (pfring lines won't be relevant for you I am guessing):
./configure --enable-non-ether-decoders --enable-sourcefire --enable-shared-rep --enable-control-socket 
--with-libpcap-includes=/opt/pfring/include --with-libpcap-libraries=/opt/pfring/lib 
--with-libpfring-includes=/opt/pfring/include --with-libpfring-libraries=/opt/pfring/lib --enable-open-appid

I can't imagine that this would make a difference, but per the README in the daq src:

AFPACKET Module
===============

afpacket functions similar to the pcap DAQ but with better performance:

    ./snort --daq afpacket -i <device>
            [--daq-var buffer_size_mb=<#MB>]
            [--daq-var debug]

If you want to run afpacket in inline mode, you must craft the device string as
one or more interface pairs, where each member of a pair is separated by a
single colon and each pair is separated by a double colon like this:

I do see in your start that you specify interfaces first, then afpacket second, so reverse that to:

sudo snort -c /etc/snort/snort.conf -Q --daq afpacket -i eth1:eth0 -k none -A fast

I would also try --daq-var debug if you still get things allowed after trying the above.  This test box is Ubuntu 
14.04.2 LTS, so we are pretty much running the same thing.  Lastly, although seeing the wget session helps, try and get 
an actual packet capture...it will help.

James

On Sun, 2015-02-22 at 23:02 +0530, Rishabh Shah wrote:
Hi James,

Yes, I do have a capture on my Windows 7 PC which is sitting behind Snort(linux).

-> Snort command used:
snort -c /etc/snort/snort.conf -Q -i eth1:eth0 --daq afpacket -k none -A fast


-> Traffic from Windows 7 pc:

%wget cnn.com<http://cnn.com>
--2015-02-22 22:54:36--  http://cnn.com/
Resolving cnn.com<http://cnn.com> (cnn.com<http://cnn.com>)... 157.166.226.26, 157.166.226.25
Connecting to cnn.com<http://cnn.com> (cnn.com<http://cnn.com>)|157.166.226.26|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.cnn.com/ [following]
--2015-02-22 22:54:37--  http://www.cnn.com/
Resolving www.cnn.com<http://www.cnn.com> (www.cnn.com<http://www.cnn.com>)... 103.245.222.185
Connecting to www.cnn.com<http://www.cnn.com> (www.cnn.com<http://www.cnn.com>)|103.245.222.185|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://edition.cnn.com/ [following]
--2015-02-22 22:54:38--  http://edition.cnn.com/
Resolving edition.cnn.com<http://edition.cnn.com> (edition.cnn.com<http://edition.cnn.com>)... 103.245.222.185
Reusing existing connection to www.cnn.com:80<http://www.cnn.com:80>.
HTTP request sent, awaiting response... 200 OK
Length: 214393 (209K) [text/html]
Saving to: ‘index.html.6’

100%[================================================================================>] 214,393      321KB/s   in 0.7s

2015-02-22 22:54:39 (321 KB/s) - ‘index.html.6’ saved [214393/214393]


Alert on Snort:
02/22-22:54:36.628789  [Drop] [**] [1:1112111:1] you are blocked [**] [Priority: 0] {TCP} 
192.168.10.1:54980<http://192.168.10.1:54980> -> 103.245.222.185:80<http://103.245.222.185:80>



On Sun, Feb 22, 2015 at 9:29 PM, James Lay <jlay () slave-tothe-box net<mailto:jlay () slave-tothe-box net>> wrote:
On Sun, 2015-02-22 at 20:47 +0530, Rishabh Shah wrote:

Hi James,


Thanks for looking in to this. In your case, the HTTP request is getting blocked by snort. But the same is not 
happening in my case. Any other command output that could help you figure out this issue?

On Sun, Feb 22, 2015 at 7:55 PM, James Lay <jlay () slave-tothe-box net<mailto:jlay () slave-tothe-box net>> wrote:
On Sat, 2015-02-21 at 20:04 +0530, Rishabh Shah wrote:

Hi Snort-Experts,


I am running Snort-2.9.7 in Ubuntu 14.04.1 LTS (64-bit). Snort is unable to drop packets, despite a drop alert being 
generated:
02/21-14:48:11.602240  [Drop] [**] [1:1112111:1] you are blocked [**] [Priority: 0] {TCP} 
192.168.10.1:53013<http://192.168.10.1:53013/> -> 157.166.226.25:80<http://157.166.226.25/>


-> Following rule in snort.rules file is getting triggered for the above alert log.
drop tcp any any -> any 80 (msg: "you are blocked"; sid: 1112111; rev: 1;)




===============================================================================
Action Stats:
     Alerts:            7 (  1.118%)
     Logged:            7 (  1.118%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:          231 ( 36.435%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:          394 ( 62.145%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)
===============================================================================

Interestingly, Blacklist means getting dropped/blocked/not-allowed-through/whatever you want to call it.  Case in point 
below:

start line:
sudo snort -c snort.conf -Q --daq afpacket -i eth1:eth2 -A console -k none

[ Number of patterns truncated to 20 bytes: 0 ]
afpacket DAQ configured to inline.
Acquiring network traffic from "eth1:eth2".
Reload thread starting...
Reload thread started, thread 0x7f383d236700 (3419)

        --== Initialization Complete ==--

snort rule:
drop tcp any any -> any $HTTP_PORTS (msg:"HTTP Traffic Index Get"; content:"index"; http_uri; sid:1000003; rev:1;)

wget from remote box:
[07:09:05 $] wget http://192.168.1.73/index.html
--2015-02-22 07:09:44--  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

--2015-02-22 07:09:45--  (try: 2)  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

--2015-02-22 07:09:47--  (try: 3)  http://192.168.1.73/index.html
Connecting to 192.168.1.73:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

tshark on ips box:
31 2015-02-22 07:09:46.143340  192.168.1.2 -> 192.168.1.73 TCP 74 43815→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 
SACK_PERM=1 TSval=1201101 TSecr=0 WS=128
32 2015-02-22 07:09:46.143469 192.168.1.73 -> 192.168.1.2  TCP 74 80→43815 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 
MSS=1460 SACK_PERM=1 TSval=54730 TSecr=1201101 WS=16
33 2015-02-22 07:09:46.144245  192.168.1.2 -> 192.168.1.73 TCP 66 43815→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 
TSval=1201101 TSecr=54730
34 2015-02-22 07:09:46.145281  192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1
35 2015-02-22 07:09:46.145388 192.168.1.73 -> 192.168.1.2  TCP 66 80→43815 [ACK] Seq=1 Ack=121 Win=14480 Len=0 
TSval=54731 TSecr=1201101
36 2015-02-22 07:09:46.145893  192.168.1.2 -> 192.168.1.73 TCP 54 43815→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
37 2015-02-22 07:09:49.147339  192.168.1.2 -> 192.168.1.73 TCP 74 43817→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 
SACK_PERM=1 TSval=1201852 TSecr=0 WS=128
38 2015-02-22 07:09:49.147486 192.168.1.73 -> 192.168.1.2  TCP 74 80→43817 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 
MSS=1460 SACK_PERM=1 TSval=55481 TSecr=1201852 WS=16
39 2015-02-22 07:09:49.148246  192.168.1.2 -> 192.168.1.73 TCP 66 43817→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 
TSval=1201852 TSecr=55481
40 2015-02-22 07:09:49.149275  192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1
41 2015-02-22 07:09:49.149381 192.168.1.73 -> 192.168.1.2  TCP 66 80→43817 [ACK] Seq=1 Ack=121 Win=14480 Len=0 
TSval=55482 TSecr=1201852
42 2015-02-22 07:09:49.150088 192.168.1.73 -> 192.168.1.2  HTTP 557 HTTP/1.1 200 OK  (text/html)
43 2015-02-22 07:09:49.151366  192.168.1.2 -> 192.168.1.73 TCP 54 43817→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0
46 2015-02-22 07:09:53.153356  192.168.1.2 -> 192.168.1.73 TCP 74 43818→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 
SACK_PERM=1 TSval=1202853 TSecr=0 WS=128
47 2015-02-22 07:09:53.153489 192.168.1.73 -> 192.168.1.2  TCP 74 80→43818 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 
MSS=1460 SACK_PERM=1 TSval=56483 TSecr=1202853 WS=16
48 2015-02-22 07:09:53.154244  192.168.1.2 -> 192.168.1.73 TCP 66 43818→80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 
TSval=1202853 TSecr=56483
49 2015-02-22 07:09:53.155285  192.168.1.2 -> 192.168.1.73 HTTP 186 GET /index.html HTTP/1.1
50 2015-02-22 07:09:53.155395 192.168.1.73 -> 192.168.1.2  TCP 66 80→43818 [ACK] Seq=1 Ack=121 Win=14480 Len=0 
TSval=56483 TSecr=1202854
51 2015-02-22 07:09:53.155921  192.168.1.2 -> 192.168.1.73 TCP 54 43818→80 [RST, ACK] Seq=121 Ack=1 Win=0 Len=0

snort result using console:
02/22-07:09:46.145218  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 
192.168.1.2:43815<http://192.168.1.2:43815> -> 192.168.1.73:80<http://192.168.1.73:80>
02/22-07:09:49.149219  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 
192.168.1.2:43817<http://192.168.1.2:43817> -> 192.168.1.73:80<http://192.168.1.73:80>
02/22-07:09:53.155221  [Drop] [**] [1:1000003:1] HTTP Traffic Index Get [**] [Priority: 0] {TCP} 
192.168.1.2:43818<http://192.168.1.2:43818> -> 192.168.1.73:80<http://192.168.1.73:80>

and lastly, snort stats after kill:
===============================================================================
Packet I/O Totals:
   Received:           57
   Analyzed:           57 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:           12                  <----------- injected RST I am guessing
===============================================================================

===============================================================================
Action Stats:
     Alerts:            6 ( 10.526%)
     Logged:            6 ( 10.526%)
     Passed:            0 (  0.000%)
Limits:
      Match:            0
      Queue:            0
        Log:            0
      Event:            0
      Alert:            0
Verdicts:
      Allow:           50 ( 87.719%)
      Block:            0 (  0.000%)
    Replace:            0 (  0.000%)
  Whitelist:            0 (  0.000%)
  Blacklist:            7 ( 12.281%)
     Ignore:            0 (  0.000%)
      Retry:            0 (  0.000%)

And there ya go.

James

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




--
Regards,
Rishabh Shah.



------------------------------------------------------------------------------

Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server

from Actuate! Instantly Supercharge Your Business Reports and Dashboards

with Interactivity, Sharing, Native Excel Exports, App Integration & more

Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!

Rishabh,

How are you confirming that this isn't getting dropped/blocked/blacklisted?  Do you have a capture, or can you capture 
on the IPS to see what the traffic is looking like?

James

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


--
Regards,
Rishabh Shah.



------------------------------------------------------------------------------

Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server

from Actuate! Instantly Supercharge Your Business Reports and Dashboards

with Interactivity, Sharing, Native Excel Exports, App Integration & more

Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: