Menu
▾
▴
Re: [Snort-inline-users] snort_inline looses packets from QUEUE (was: Disappearing packets)
|
From: Victor J. <vi...@nk...> - 2004-08-08 09:05:14
|
On Sunday 08 August 2004 10:15, Markus Koetter wrote: > hi snorters > > i can reproduce this bug, so i think it should be mentioned > setup is > > debian unstable, > 2.4.20-gentoo-r5 > iptables v1.2.11 > snort_inline 2.13b > > snort is compiled from src und uses mysql as db backend > > i removed all other rulessets from snort_inline.conf and the only one > running in local.rules is > > alert tcp $HOME_NET any -> $EXTERNAL_NET any \ > (\ > msg: "irc tagged session ";\ > content: "NICK"; \ > nocase;\ > pcre:"/^NICK\.*/i";\ > classtype: bad-unknown ;\ > # resp:rst_snd;\ > sid:1000011;\ > tag: session, 12, seconds;\ > rev:4;\ > ) > > the database plugin has wrong information about tagged packets, but > thats not the real problem here > > as one can imagine reading the rule is meant to tag irc traffic > > iptables -A OUTPUT -p tcp --dport 6667 -j QUEUE > iptables -A INPUT -p tcp --sport 6667 -j QUEUE > > these rules do the work > > now we goto some ircnet and wait > we use the box running snort_inline to connect using irssi or some > other chat client > > we can spend some time checking if tagging the first 12 seconds > worked, and it worked, as mentioned before the database plugin does > not set the right SID and msg, but it loggs the packet > > after ~20 min irssi is unable to send to the irc server, and the irc > server is unable to send to me > irssi's lagmeter powers up and after 300 seconds it will reconnect > because it guesses the server has a pingtimeout > snort_inline`s console shows that the ircnet sended us that we had the > pingtimeout > > if irssis lagmeter is arounf 200 seconds, we can try a > iptables -F > to flush the QUEUE > and we wont get disconnectet > > please try this on your own box, it works with me > > here i went to some large channel in quakenet to get a constant (spam) > msg stream > i started ethereal on some other box in my hubbed network and waited > for my pingtimeout > > -> > marks stuff the snort_inline host sends > > <- > marks stuff the snort_inline host receives > > -> PING online1.no.quakenet.org > > <- :online1.no.quakenet.org PONG online1.no.quakenet.org > > :online1.no.quakenet.org > > -> PING :online1.no.quakenet.org > ... > ... > -> ERROR :Closing Link: privmsg by online1.no.quakenet.org (Ping timeout) > > as one can see he _got_ the packet > but snort_inline lost it somewhere > > now i will try this > > alert tcp $HOME_NET any -> $EXTERNAL_NET any \ > (\ > msg: "irc tagged session ";\ > content: "NICK"; \ > nocase;\ > pcre:"/^NICK\.*/i";\ > classtype: bad-unknown ;\ > # resp:rst_snd;\ > sid:1000011;\ > tag: session, 12, seconds;\ > rev:4;\ > ) > > alert tcp $HOME_NET any -> $EXTERNAL_NET any \ > (\ > msg: "irc PING";\ > content: "PING"; \ > nocase;\ > classtype: bad-unknown ;\ > # resp:rst_snd;\ > sid:1000012;\ > tag: session, 12, seconds;\ > rev:1;\ > ) > > alert tcp $HOME_NET any -> $EXTERNAL_NET any \ > (\ > msg: "irc PONG";\ > content: "PONG"; \ > nocase;\ > classtype: bad-unknown ;\ > sid:1000013;\ > rev:1;\ > ) > > iptables -A OUTPUT -p tcp --dport 6667 -j QUEUE > iptables -A INPUT -p tcp --sport 6667 -j QUEUE > > i know the 2 new rules are not that exact, but it will fit here > > i goto #musik in quakenet and > #findscrim in gamesurge > > #musik is quite idle this time, > #findscrim is some shiny color spam, i never understood what this > channel is used for, but it works for this case, he has instant > traffic > > quakenet #musik performs this way > > this is what ethereal gets > the gline is a shiny mark i guess > .... > > -> PING port80c.se.quakenet.org > <- :port80c.se.quakenet.org PONG port80c.se.quakenet.org > > :port80c.se.quakenet.org > > <- :Carny_Mailbox!~geh...@pD... JOIN :#musik > <- :[Che]!~Ch...@DM... JOIN :#musik > <- :freddy`!fr...@su... QUIT :G-lined > <- :RM`Aussie!Au...@Ma... PRIVMSG #musik :.ACTION is > back after 1d10h54m: auto-away after 120m idle. > > -> PING port80c.se.quakenet.org > <- :port80c.se.quakenet.org PONG port80c.se.quakenet.org > > :port80c.se.quakenet.org > > <- :NDA|aKi`off!tropi@212.12.122.11 NICK :NDA|aKi > <- PING :port80c.se.quakenet.org > <- :NoFVHar!~xpapr@81.215.5.120 JOIN :#musik > <- :NoFVHar!~xpapr@81.215.5.120 QUIT :Signed off > <- ERROR :Closing Link: privmsg by port80c.se.quakenet.org (Ping timeout) > > the irssi client on the snort_inline box gets this > .... > > 09:34 -!- freddy` [fr...@su...] has quit [G-lined] > 09:35 * RM`Aussie is back after 1d10h54m: auto-away after 120m idle > *** reconnect due to 300 sec server timeout > > as one can see the irssi client lacks the JOIN and QUIT, > so the irssi app never got these lines, even ethreal showed us they were > on the line > > gamesurge with #findscrim as spamchannel did not suffer any > disconnect, dont ask my why > > and try > iptables -F > if your irssi lagmeters is growing up > irssi will get the "missing lines" and lag will go away > > the new PING PONG rules show that snort_inline got the PINGs we sended > and the PINGs the Server sended, but it does not show up any PONG > before we get disconnectet ... > > > Nathaniel Haggard wrote "drop rules" > he described the same problem > > > > i guess there are 2 possibilities, > - ip_queue bug > - snort_inline bug I'm not sure this is the problem, but try to increase the stream4 timeout in snort_inline.conf. It defaults to 30 seconds which caused my msn-connections to fail. This is a known problem in snort_inline and we (William Metcalf and myself) are preparing a patch to fix this... In the meantime try to set the timeout for Stream4 to a few minutes... Hope this helps, Regards, Victor > > the funny thing is if i flush the iptables, the application gets the data > so this seems a snort_inline problem > > Markus > > > ------------------------------------------------------- > This SF.Net email is sponsored by OSTG. Have you noticed the changes on > Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, > one more big change to announce. We are now OSTG- Open Source Technology > Group. Come see the changes on the new OSTG site. www.ostg.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
