[Snort-inline-users] Need urgently expert assistance (drop not successfully)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello list,

I use the Astaro Firewall last version.

Here is integrates snort_inline version 2.1.1 (Build 24).

There are three NIC.
Internal, external, DMZ

In addition there is 15 virtual NIC on the external NIC.

My problem is not trivial. Look here.

At present the current Astaro_IDS version have problems with packages to
really drop, or violations of rules are not recognized. 

Looks here: 

The following of two examples from yesterday. 

first example: 
Although the rule "WEB-IIS ISAPI .ida attempt" is active (drop) and became
closed according to log file, an additional Snort sensor sees into the DMZ
the same violation of rules. 

second example: 
Although the "WEB-IIS cmd.exe" access is active (drop), this violation of
rules of the IDS was not recognized, however the Snort sensor in the DMZ was
seen this violation of rules. 
I observed this already several times. 

The IDS ASL log files in addition: 

2005:03:03-00:14:55 (none) snort[15134]: [1:485:0] A ICMP Destination
Unreachable Communication Administratively Prohibited [Classification: Misc
activity] [Priority: 3]: <(null)> {PROTO001} 213.200.76.38 -> 217.6.34.2 
2005:03:03-07:48:42 (none) snort[15134]: [119:13:1] (http_inspect) NON-RFC
HTTP DELIMITER <(null)> {PROTO006} 192.168.100.18:45248 -> 207.188.24.150:80

2005:03:03-07:48:43 (none) snort[15134]: [119:12:1] (http_inspect) APACHE
WHITESPACE (TAB) <(null)> {PROTO006} 192.168.100.18:45248 ->
207.188.24.150:80 
2005:03:03-07:50:31 (none) snort[15134]: [1:2925:0] A INFO web bug 0x0 gif
attempt [Classification: Misc activity] [Priority: 3]: <(null)> {PROTO006}
212.172.60.154:80 -> 192.168.100.18:45276 
2005:03:03-07:50:42 (none) snort[15134]: [1:2925:0] A INFO web bug 0x0 gif
attempt [Classification: Misc activity] [Priority: 3]: <(null)> {PROTO006}
193.45.14.169:80 -> 192.168.100.18:45253 
2005:03:03-07:55:59 (none) snort[15134]: [1:1243:0] D WEB-IIS ISAPI .ida
attempt [Classification: Web Application Attack] [Priority: 1]: <(null)>
{PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:55:59 (none) snort[15134]: [119:3:1] (http_inspect) U ENCODING
<(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:55:59 (none) snort[15134]: [119:13:1] (http_inspect) NON-RFC
HTTP DELIMITER <(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:56:02 (none) snort[15134]: [119:3:1] (http_inspect) U ENCODING
<(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:56:02 (none) snort[15134]: [119:13:1] (http_inspect) NON-RFC
HTTP DELIMITER <(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:56:03 (none) snort[15134]: [119:4:1] (http_inspect) BARE BYTE
UNICODE ENCODING <(null)> {PROTO006} 221.7.71.222:3119 -> 192.168.100.25:80 
2005:03:03-07:56:03 (none) snort[15134]: [119:15:1] (http_inspect) OVERSIZE
REQUEST-URI DIRECTORY <(null)> {PROTO006} 221.7.71.222:3119 ->
192.168.100.25:80 
2005:03:03-08:02:58 (none) snort[15134]: [1:2925:0] A INFO web bug 0x0 gif
attempt [Classification: Misc activity] [Priority: 3]: <(null)> {PROTO006}
217.110.202.150:80 -> 192.168.100.18:45919 
2005:03:03-08:03:09 (none) snort[15134]: [1:2925:0] A INFO web bug 0x0 gif
attempt [Classification: Misc activity] [Priority: 3]: <(null)> {PROTO006}
217.110.202.134:80 -> 192.168.100.18:46021 
2005:03:03-08:04:30 (none) snort[15134]: [119:7:1] (http_inspect) IIS
UNICODE CODEPOINT ENCODING <(null)> {PROTO006} 192.168.100.18:46124 ->
63.240.28.62:80 
2005:03:03-08:05:42 (none) snort[15134]: [119:3:1] (http_inspect) U ENCODING
<(null)> {PROTO006} 192.168.100.18:46168 -> 63.240.28.58:80 

That sees the Snort sensor in the DMZ: 

#112-(4-71453)[snort] (http_inspect) NON-RFC DEFINED CHAR 2005-03-03
07:55:39 221.7.71.222:3119 192.168.100.25:80 TCP 
#113-(4-71452)[snort] WEB-IIS cmd.exe access 2005-03-03 07:55:39
221.7.71.222:3119 192.168.100.25:80 TCP 
#114-(4-71451)[snort] (http_inspect) NON-RFC HTTP DELIMITER 2005-03-03
07:55:38 221.7.71.222:3119 192.168.100.25:80 TCP 
#115-(4-71450)[cve][icat][bugtraq][arachNIDS][snort] WEB-IIS ISAPI .ida
access 2005-03-03 07:55:38 221.7.71.222:3119 192.168.100.25:80 TCP 
#116-(4-71449)[cve][icat][bugtraq][arachNIDS][snort] WEB-IIS ISAPI .ida
attempt 2005-03-03 07:55:38 221.7.71.222:3119 192.168.100.25:80 TCP

Does someone have an idea ?

more Informtion in the Threads of Astaro.org

http://www.astaro.org/showflat.php?Cat=&Number=56112&page=0&view=collapsed&s
b=5&o=&fpart=1#56112
<http://www.astaro.org/showflat.php?Cat=&Number=56112&page=0&view=collapsed&
sb=5&o=&fpart=1#56112> 

Thanks for each assistance

Stefan