Re: [Snort-inline-users] msn messenger problem

[Victor J. <vi...@nk...>]

On Tuesday 06 July 2004 19:51, William Metcalf wrote:
> The default time out for a session is 120 seconds for iptables.  If you set
> this in stream4 I would up the amount of memory you allocate for it.  As
> far as logging out-of-session packets, there isn't a mechanism in snort or
> snort_inline to do this, if you are troubleshooting, you can enable the
> stream4 debug.  This can be accomplished compiling with --enable-debug and
> then export SNORT_DEBUG=8192 prior to starting snort_inline.

Hmm, i thought the default tcp session timeout in iptables was something like 
5 days...

from my /proc/net/ip_conntrack:

tcp      6 431942 ESTABLISHED src=192.168.0.167 dst=207.46.107.7 sport=35693 
dport=1863 src=207.46.107.7 dst=192.168.0.167 sport=1863 dport=35693 
[ASSURED] use=1

The counter of 431942 is the session timeout right?

Okay, i set the timeout to 120 seconds now, so now i have increase the memcap? 
Can you give a rule of thumb for how high it should be... (for x number of 
connections, you need a memcap of y bytes)

Wouldn't it be an interesting feature to be able to log those packets for 
snort_inline (guess not for snort), because if snort_inline makes dissions as 
a firewall, thus dropping packets, i want to know why...

If you run a firewall and connections are dropped (thus the users are 
complaining to you), but you don't know why i think it's an administrators 
nightmare...

Would that difficult to implement, i'm a moderate c-programmer, so i could 
give it a shot...

(would you (or anyone else) even be interested in such a feature?)

Regards,
Victor

>
> Regards,
>
> Will
>
>
>
>              Victor Julien
>              <vi...@nk...>
>                                                                         To
>              07/06/2004 11:41          sno...@li...urceforg
>              AM                        e.net
>                                                                         cc
>                                        William Metcalf
>                                        <Wil...@kc...>
>                                                                    Subject
>                                        Re: [Snort-inline-users] msn
>                                        messenger problem
>
> On Tuesday 06 July 2004 18:16, William Metcalf wrote:
> > Increasing the time-out should be fine,  gaim must implement it's MSN
> > function differently than the windows messenger client.  If no data is
> > received for x seconds in  a TCP conversation the session is pruned in
> > stream4, this is the same way that a stateful firewall works.  If data is
> > received out-of session it is dropped, unless it is trying to initialize
>
> a
>
> > new session i.e. a packet with the SYN flag set.
>
> Okay, so the only drawback is that stream4 will take some more memory
> because
> of this?
>
> Is this the same type of timeout that iptables uses in the state table?
> Iptables uses timeouts of days, not seconds if i recall correctly.
>
> Final question: why doesn't snort log the packets that are out of session?
> Or:
> how can i make snort log them?
>
> Thanks for your help!
>
> Regards,
> Victor
>
> > Regards,
> >
> > Will
> >
> >
> >
> >              Victor Julien
> >              <vi...@nk...>
>
> To
>
> >              07/06/2004 10:55
>
> sno...@li...urceforg
>
> >              AM                        e.net
>
> cc
>
> >                                        William Metcalf
> >                                        <Wil...@kc...>
>
> Subject
>
> >                                        Re: [Snort-inline-users] msn
> >                                        messenger problem
> >
> > On Tuesday 06 July 2004 15:34, William Metcalf wrote:
> > > That's odd, try disabling the flow preproc as it is not yet supported
>
> in
>
> > > snort_inline.  I don't have any problem with msn and the stream4
>
> preproc.
>
> > The flow preprocessor was not the problem. I disabled it, but the
> > connection
> > was still lost after some time.
> >
> > Increasing the timeout for the stream4 prepoc from the default 30 sec to
>
> 60
>
> > sec seems to be the solution.
> >
> > Can you explain to me what this does? Can it be a security risk? DoS?
> >
> > Regards,
> > Victor
> >
> > > Regards,
> > >
> > > Will
> > >
> > >
> > >
> > >              Victor Julien
> > >              <vi...@nk...>
> > >              Sent by:
> >
> > To
> >
> > >              snort-inline-user         William Metcalf
> > >              s-...@li...u         <Wil...@kc...>
> > >              rceforge.net
> >
> > cc
> >
> > sno...@li...urceforg
> >
> > >                                        e.net
> > >              07/06/2004 06:39
> >
> > Subject
> >
> > >              AM                        Re: [Snort-inline-users] msn
> > >                                        messenger problem
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Hi William,
> > >
> > > Thanx for your reply.
> > >
> > > On Tuesday 06 July 2004 06:32, you wrote:
> > > > Look through your logs, there are certian rules that detect
> >
> > msn-messenger
> >
> > > > logon attemtps, if you have converted all rules to drop messenger
>
> would
>
> > > > stop working.
> > >
> > > My logs don't show anything about msn messenger. So if snort_inline is
> > > blocking msn in some way, it does so without telling me. I also tried
> >
> > aMsn
> >
> > > and Gaim and the same thing happens.
> > >
> > > I got this when running Gaim in debug mode:
> > >
> > > <snipped entire login procedure>
> > > msn: C: PNG
> > > msn: S: QNG 41
> > > msn: C: PNG
> > > msn: S: QNG 46
> > > msn: C: PNG
> > > msn: S: QNG 44
> > > msn: C: PNG
> > > msn: S: QNG 40
> > > msn: C: PNG
> > > msn: S: QNG 40
> > > msn: C: PNG
> > > msn: S: QNG 43
> > > msn: C: PNG
> > > msn: S: QNG 42
> > > msn: C: PNG
> > > msn: S: QNG 47
> > >
> > > I think 'C' is the client. It does some kind of keep-a-live i think.
> >
> > After
> >
> > > a
> > > 'PNG' (ping?) the server responds everytime. Then without notice or
> > > message,
> > > the server stops responding, and finally disconnects.
> > >
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > msn: C: PNG
> > > account: Disconnecting account 0x8198ae0
> > > connection: Disconnecting connection 0x82ba848
> > > server: removing NOP
> > >
> > > I get no message what-so-ever in any log (snort, iptables, syslog).
> > >
> > > Could this have something to do with:
> > > 1. preprocessor flow
> > > 2. preprocessor stream4
> > > 3. preprocessor stream4_reassemble
> > >
> > > Maybe some internal time-out in snort_inline?
> > >
> > > Note that i don't have this problem when only iptables handles msn
>
> (with
>
> > -j
> >
> > > ACCEPT).
> > >
> > > Regards,
> > > Victor
> > >
> > > > Regards,
> > > >
> > > > Will
> > > >
> > > > packescrubber:/etc/snort# grep MSN *
> > > > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT
>
> MSN
>
> > > > message"; flow:established; content:"MSG "; depth:4;
> > > > content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1;
> > > > classtype:policy-violation; sid:540; rev:11;)
> > > > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT
>
> MSN
>
> > > file
> > >
> > > > transfer request"; flow:established; content:"MSG "; depth:4;
> > > > content:"Content-Type|3A|"; distance:0; nocase;
> > > > content:"text/x-msmsgsinvite"; distance:0; nocase;
> > > > content:"Application-Name|3A|"; content:"File Transfer"; distance:0;
> > > > nocase; classtype:policy-violation; sid:1986; rev:4;)
> > > > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT
>
> MSN
>
> > > file
> > >
> > > > transfer accept"; flow:established; content:"MSG "; depth:4;
> > > > content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite";
> > > > distance:0; content:"Invitation-Command|3A|"; content:"ACCEPT";
> > >
> > > distance:1;
> > >
> > > > classtype:policy-violation; sid:1988; rev:3;)
> > > > chat.rules:drop tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT
>
> MSN
>
> > > file
> > >
> > > > transfer reject"; flow:established; content:"MSG "; depth:4;
> > > > content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite";
> > > > distance:0; content:"Invitation-Command|3A|"; content:"CANCEL";
> > >
> > > distance:0;
> > >
> > > > content:"Cancel-Code|3A|"; nocase; content:"REJECT"; distance:0;
> >
> > nocase;
> >
> > > > classtype:policy-violation; sid:1989; rev:4;)
> > > > chat.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT
>
> MSN
>
> > > user
> > >
> > > > search"; flow:to_server,established; content:"CAL "; depth:4; nocase;
> > > > classtype:policy-violation; sid:1990; rev:1;)
> > > > chat.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT
>
> MSN
>
> > > > login attempt"; flow:to_server,established; content:"USR "; depth:4;
> > > > nocase; content:" TWN "; distance:1; nocase;
> >
> > classtype:policy-violation;
> >
> > > > sid:1991; rev:1;)
> > > > sid-msg.map:540 || CHAT MSN message
> > > > sid-msg.map:1986 || CHAT MSN file transfer request
> > > > sid-msg.map:1988 || CHAT MSN file transfer accept
> > > > sid-msg.map:1989 || CHAT MSN file transfer reject
> > > > sid-msg.map:1990 || CHAT MSN user search
> > > > sid-msg.map:1991 || CHAT MSN login attempt
> > > >
> > > >
> > > >
> > > >              Victor Julien
> > > >              <vi...@nk...>
> > > >              Sent by:
> > >
> > > To
> > >
> > > >              snort-inline-user
> > >
> > > sno...@li...urceforg
> > >
> > > >              s-...@li...u         e.net
> > > >              rceforge.net
> > >
> > > cc
> > >
> > >
> > > Subject
> > >
> > > >              07/01/2004 02:00          [Snort-inline-users] msn
> >
> > messenger
> >
> > > >              PM                        problem
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I 'm testing snort_inline  to filter my outgoing traffic. Http, ftp,
> >
> > pop3
> >
> > > > work
> > > > fine so far, however msn-messenger does not. I'm using Kopete (kde
> >
> > 3.2.2,
> >
> > > > debian-testing) with msn-plugin. The plugin just dies after some 5
> > >
> > > minutes
> > >
> > > > or
> > > > so. This does not happen when msn works just with iptables. Is there
> >
> > any
> >
> > > > known problem with msn and snort_inline?
> > > >
> > > > Regards,
> > > > Victor
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > This SF.Net email sponsored by Black Hat Briefings & Training.
> > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> > > > digital self defense, top technical experts, no vendor pitches,
> > > > unmatched networking opportunities. Visit www.blackhat.com
> > > > _______________________________________________
> > > > Snort-inline-users mailing list
> > > > Sno...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> > >
> > > -------------------------------------------------------
> > > This SF.Net email sponsored by Black Hat Briefings & Training.
> > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> > > digital self defense, top technical experts, no vendor pitches,
> > > unmatched networking opportunities. Visit www.blackhat.com
> > > _______________________________________________
> > > Snort-inline-users mailing list
> > > Sno...@li...
> > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users