[Snort-inline-users] snort_inline looses packets from QUEUE (was: Disappearing packets)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

hi snorters

i can reproduce this bug, so i think it should be mentioned
setup is

debian unstable,
2.4.20-gentoo-r5
iptables v1.2.11
snort_inline 2.13b

snort is compiled from src und uses mysql as db backend

i removed all other rulessets from snort_inline.conf and the only one running in
local.rules is

alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(\
       msg: "irc tagged session ";\
       content: "NICK"; \
       nocase;\
       pcre:"/^NICK\.*/i";\
       classtype: bad-unknown ;\
#       resp:rst_snd;\
       sid:1000011;\
       tag: session, 12, seconds;\
       rev:4;\
)

the database plugin has wrong information about tagged packets, but
thats not the real problem here

as one can imagine reading the rule is meant to tag irc traffic

iptables -A OUTPUT -p tcp --dport 6667 -j QUEUE
iptables -A INPUT -p tcp --sport 6667 -j QUEUE

these rules do the work

now we goto some ircnet and wait
we use the box running snort_inline to connect using irssi or some
other chat client

we can spend some time checking if tagging the first 12 seconds
worked, and it worked, as mentioned before the database plugin does
not set the right SID and msg, but it loggs the packet

after ~20 min irssi is unable to send to the irc server, and the irc
server is unable to send to me
irssi's lagmeter powers up and after 300 seconds it will reconnect
because it guesses the server has a pingtimeout
snort_inline`s console shows that the ircnet sended us that we had the
pingtimeout

if irssis lagmeter is arounf 200 seconds, we can try a
iptables -F
to flush the QUEUE
and we wont get disconnectet

please try this on your own box, it works with me

here i went to some large channel in quakenet to get a constant (spam)
msg stream
i started ethereal on some other box in my hubbed network and waited
for my pingtimeout

->
marks stuff the snort_inline host sends

<-
marks stuff the snort_inline host receives

-> PING online1.no.quakenet.org

<- :online1.no.quakenet.org PONG online1.no.quakenet.org
:online1.no.quakenet.org

-> PING :online1.no.quakenet.org
...
...
-> ERROR :Closing Link: privmsg by online1.no.quakenet.org (Ping timeout)

as one can see he _got_ the packet
but snort_inline lost it somewhere

now i will try this

alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(\
       msg: "irc tagged session ";\
       content: "NICK"; \
       nocase;\
       pcre:"/^NICK\.*/i";\
       classtype: bad-unknown ;\
#       resp:rst_snd;\
       sid:1000011;\
       tag: session, 12, seconds;\
       rev:4;\
)

alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(\
       msg: "irc PING";\
       content: "PING"; \
       nocase;\
       classtype: bad-unknown ;\
#       resp:rst_snd;\
       sid:1000012;\
       tag: session, 12, seconds;\
       rev:1;\
)

alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(\
       msg: "irc PONG";\
       content: "PONG"; \
       nocase;\
       classtype: bad-unknown ;\
       sid:1000013;\
       rev:1;\
)

iptables -A OUTPUT -p tcp --dport 6667 -j QUEUE
iptables -A INPUT -p tcp --sport 6667 -j QUEUE

i know the 2 new rules are not that exact, but it will fit here

i goto #musik in quakenet and
#findscrim in gamesurge

#musik is quite idle this time,
#findscrim is some shiny color spam, i never understood what this
channel is used for, but it works for this case, he has instant
traffic

quakenet #musik performs this way

this is what ethereal gets
the gline is a shiny mark i guess
....

-> PING port80c.se.quakenet.org
<- :port80c.se.quakenet.org PONG port80c.se.quakenet.org
:port80c.se.quakenet.org
<- :Carny_Mailbox!~geh...@pD... JOIN :#musik
<- :[Che]!~Ch...@DM... JOIN :#musik
<- :freddy`!fr...@su... QUIT :G-lined
<- :RM`Aussie!Au...@Ma... PRIVMSG #musik :.ACTION is
back after 1d10h54m: auto-away after 120m idle.

-> PING port80c.se.quakenet.org
<- :port80c.se.quakenet.org PONG port80c.se.quakenet.org
:port80c.se.quakenet.org
<- :NDA|aKi`off!tropi@212.12.122.11 NICK :NDA|aKi
<- PING :port80c.se.quakenet.org
<- :NoFVHar!~xpapr@81.215.5.120 JOIN :#musik
<- :NoFVHar!~xpapr@81.215.5.120 QUIT :Signed off
<- ERROR :Closing Link: privmsg by port80c.se.quakenet.org (Ping timeout)

the irssi client on the snort_inline box gets this
....

09:34 -!- freddy` [fr...@su...] has quit [G-lined]
09:35  * RM`Aussie is back after 1d10h54m: auto-away after 120m idle
*** reconnect due to 300 sec server timeout

as one can see the irssi client lacks the JOIN and QUIT,
so the irssi app never got these lines, even ethreal showed us they were
on the line

gamesurge with #findscrim as spamchannel did not suffer any
disconnect, dont ask my why

and try
iptables -F
if your irssi lagmeters is growing up
irssi will get the "missing lines" and lag will go away

the new PING PONG rules show that snort_inline got the PINGs we sended
and the PINGs the Server sended, but it does not show up any PONG
before we get disconnectet ...

Nathaniel Haggard wrote "drop rules"
he described the same problem

i guess there are 2 possibilities,
- ip_queue bug
- snort_inline bug

the funny thing is if i flush the iptables, the application gets the data
so this seems a snort_inline problem

Markus