Menu
▾
▴
Re: [Snort-inline-users] msn messenger problem
|
From: Victor J. <vi...@nk...> - 2004-07-06 16:41:51
|
On Tuesday 06 July 2004 18:16, William Metcalf wrote: > Increasing the time-out should be fine, gaim must implement it's MSN > function differently than the windows messenger client. If no data is > received for x seconds in a TCP conversation the session is pruned in > stream4, this is the same way that a stateful firewall works. If data is > received out-of session it is dropped, unless it is trying to initialize a > new session i.e. a packet with the SYN flag set. Okay, so the only drawback is that stream4 will take some more memory because of this? Is this the same type of timeout that iptables uses in the state table? Iptables uses timeouts of days, not seconds if i recall correctly. Final question: why doesn't snort log the packets that are out of session? Or: how can i make snort log them? Thanks for your help! Regards, Victor > > Regards, > > Will > > > > Victor Julien > <vi...@nk...> > To > 07/06/2004 10:55 sno...@li...urceforg > AM e.net > cc > William Metcalf > <Wil...@kc...> > Subject > Re: [Snort-inline-users] msn > messenger problem > > On Tuesday 06 July 2004 15:34, William Metcalf wrote: > > That's odd, try disabling the flow preproc as it is not yet supported in > > snort_inline. I don't have any problem with msn and the stream4 preproc. > > The flow preprocessor was not the problem. I disabled it, but the > connection > was still lost after some time. > > Increasing the timeout for the stream4 prepoc from the default 30 sec to 60 > > sec seems to be the solution. > > Can you explain to me what this does? Can it be a security risk? DoS? > > Regards, > Victor > > > Regards, > > > > Will > > > > > > > > Victor Julien > > <vi...@nk...> > > Sent by: > > To > > > snort-inline-user William Metcalf > > s-...@li...u <Wil...@kc...> > > rceforge.net > > cc > > sno...@li...urceforg > > > e.net > > 07/06/2004 06:39 > > Subject > > > AM Re: [Snort-inline-users] msn > > messenger problem > > > > > > > > > > > > > > > > > > > > > > Hi William, > > > > Thanx for your reply. > > > > On Tuesday 06 July 2004 06:32, you wrote: > > > Look through your logs, there are certian rules that detect > > msn-messenger > > > > logon attemtps, if you have converted all rules to drop messenger would > > > stop working. > > > > My logs don't show anything about msn messenger. So if snort_inline is > > blocking msn in some way, it does so without telling me. I also tried > > aMsn > > > and Gaim and the same thing happens. > > > > I got this when running Gaim in debug mode: > > > > <snipped entire login procedure> > > msn: C: PNG > > msn: S: QNG 41 > > msn: C: PNG > > msn: S: QNG 46 > > msn: C: PNG > > msn: S: QNG 44 > > msn: C: PNG > > msn: S: QNG 40 > > msn: C: PNG > > msn: S: QNG 40 > > msn: C: PNG > > msn: S: QNG 43 > > msn: C: PNG > > msn: S: QNG 42 > > msn: C: PNG > > msn: S: QNG 47 > > > > I think 'C' is the client. It does some kind of keep-a-live i think. > > After > > > a > > 'PNG' (ping?) the server responds everytime. Then without notice or > > message, > > the server stops responding, and finally disconnects. > > > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > msn: C: PNG > > account: Disconnecting account 0x8198ae0 > > connection: Disconnecting connection 0x82ba848 > > server: removing NOP > > > > I get no message what-so-ever in any log (snort, iptables, syslog). > > > > Could this have something to do with: > > 1. preprocessor flow > > 2. preprocessor stream4 > > 3. preprocessor stream4_reassemble > > > > Maybe some internal time-out in snort_inline? > > > > Note that i don't have this problem when only iptables handles msn (with > > -j > > > ACCEPT). > > > > Regards, > > Victor > > > > > Regards, > > > > > > Will > > > > > > packescrubber:/etc/snort# grep MSN * > > > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN > > > message"; flow:established; content:"MSG "; depth:4; > > > content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; > > > classtype:policy-violation; sid:540; rev:11;) > > > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN > > > > file > > > > > transfer request"; flow:established; content:"MSG "; depth:4; > > > content:"Content-Type|3A|"; distance:0; nocase; > > > content:"text/x-msmsgsinvite"; distance:0; nocase; > > > content:"Application-Name|3A|"; content:"File Transfer"; distance:0; > > > nocase; classtype:policy-violation; sid:1986; rev:4;) > > > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN > > > > file > > > > > transfer accept"; flow:established; content:"MSG "; depth:4; > > > content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; > > > distance:0; content:"Invitation-Command|3A|"; content:"ACCEPT"; > > > > distance:1; > > > > > classtype:policy-violation; sid:1988; rev:3;) > > > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN > > > > file > > > > > transfer reject"; flow:established; content:"MSG "; depth:4; > > > content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; > > > distance:0; content:"Invitation-Command|3A|"; content:"CANCEL"; > > > > distance:0; > > > > > content:"Cancel-Code|3A|"; nocase; content:"REJECT"; distance:0; > > nocase; > > > > classtype:policy-violation; sid:1989; rev:4;) > > > chat.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN > > > > user > > > > > search"; flow:to_server,established; content:"CAL "; depth:4; nocase; > > > classtype:policy-violation; sid:1990; rev:1;) > > > chat.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN > > > login attempt"; flow:to_server,established; content:"USR "; depth:4; > > > nocase; content:" TWN "; distance:1; nocase; > > classtype:policy-violation; > > > > sid:1991; rev:1;) > > > sid-msg.map:540 || CHAT MSN message > > > sid-msg.map:1986 || CHAT MSN file transfer request > > > sid-msg.map:1988 || CHAT MSN file transfer accept > > > sid-msg.map:1989 || CHAT MSN file transfer reject > > > sid-msg.map:1990 || CHAT MSN user search > > > sid-msg.map:1991 || CHAT MSN login attempt > > > > > > > > > > > > Victor Julien > > > <vi...@nk...> > > > Sent by: > > > > To > > > > > snort-inline-user > > > > sno...@li...urceforg > > > > > s-...@li...u e.net > > > rceforge.net > > > > cc > > > > > > Subject > > > > > 07/01/2004 02:00 [Snort-inline-users] msn > > messenger > > > > PM problem > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > I 'm testing snort_inline to filter my outgoing traffic. Http, ftp, > > pop3 > > > > work > > > fine so far, however msn-messenger does not. I'm using Kopete (kde > > 3.2.2, > > > > debian-testing) with msn-plugin. The plugin just dies after some 5 > > > > minutes > > > > > or > > > so. This does not happen when msn works just with iptables. Is there > > any > > > > known problem with msn and snort_inline? > > > > > > Regards, > > > Victor > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > digital self defense, top technical experts, no vendor pitches, > > > unmatched networking opportunities. Visit www.blackhat.com > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
