Menu
▾
▴
snort-inline-users
|
From: Markus K. <mko...@gm...> - 2004-08-08 08:15:48
|
hi snorters
i can reproduce this bug, so i think it should be mentioned
setup is
debian unstable,
2.4.20-gentoo-r5
iptables v1.2.11
snort_inline 2.13b
snort is compiled from src und uses mysql as db backend
i removed all other rulessets from snort_inline.conf and the only one running in
local.rules is
alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(\
msg: "irc tagged session ";\
content: "NICK"; \
nocase;\
pcre:"/^NICK\.*/i";\
classtype: bad-unknown ;\
# resp:rst_snd;\
sid:1000011;\
tag: session, 12, seconds;\
rev:4;\
)
the database plugin has wrong information about tagged packets, but
thats not the real problem here
as one can imagine reading the rule is meant to tag irc traffic
iptables -A OUTPUT -p tcp --dport 6667 -j QUEUE
iptables -A INPUT -p tcp --sport 6667 -j QUEUE
these rules do the work
now we goto some ircnet and wait
we use the box running snort_inline to connect using irssi or some
other chat client
we can spend some time checking if tagging the first 12 seconds
worked, and it worked, as mentioned before the database plugin does
not set the right SID and msg, but it loggs the packet
after ~20 min irssi is unable to send to the irc server, and the irc
server is unable to send to me
irssi's lagmeter powers up and after 300 seconds it will reconnect
because it guesses the server has a pingtimeout
snort_inline`s console shows that the ircnet sended us that we had the
pingtimeout
if irssis lagmeter is arounf 200 seconds, we can try a
iptables -F
to flush the QUEUE
and we wont get disconnectet
please try this on your own box, it works with me
here i went to some large channel in quakenet to get a constant (spam)
msg stream
i started ethereal on some other box in my hubbed network and waited
for my pingtimeout
->
marks stuff the snort_inline host sends
<-
marks stuff the snort_inline host receives
-> PING online1.no.quakenet.org
<- :online1.no.quakenet.org PONG online1.no.quakenet.org
:online1.no.quakenet.org
-> PING :online1.no.quakenet.org
...
...
-> ERROR :Closing Link: privmsg by online1.no.quakenet.org (Ping timeout)
as one can see he _got_ the packet
but snort_inline lost it somewhere
now i will try this
alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(\
msg: "irc tagged session ";\
content: "NICK"; \
nocase;\
pcre:"/^NICK\.*/i";\
classtype: bad-unknown ;\
# resp:rst_snd;\
sid:1000011;\
tag: session, 12, seconds;\
rev:4;\
)
alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(\
msg: "irc PING";\
content: "PING"; \
nocase;\
classtype: bad-unknown ;\
# resp:rst_snd;\
sid:1000012;\
tag: session, 12, seconds;\
rev:1;\
)
alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(\
msg: "irc PONG";\
content: "PONG"; \
nocase;\
classtype: bad-unknown ;\
sid:1000013;\
rev:1;\
)
iptables -A OUTPUT -p tcp --dport 6667 -j QUEUE
iptables -A INPUT -p tcp --sport 6667 -j QUEUE
i know the 2 new rules are not that exact, but it will fit here
i goto #musik in quakenet and
#findscrim in gamesurge
#musik is quite idle this time,
#findscrim is some shiny color spam, i never understood what this
channel is used for, but it works for this case, he has instant
traffic
quakenet #musik performs this way
this is what ethereal gets
the gline is a shiny mark i guess
....
-> PING port80c.se.quakenet.org
<- :port80c.se.quakenet.org PONG port80c.se.quakenet.org
:port80c.se.quakenet.org
<- :Carny_Mailbox!~geh...@pD... JOIN :#musik
<- :[Che]!~Ch...@DM... JOIN :#musik
<- :freddy`!fr...@su... QUIT :G-lined
<- :RM`Aussie!Au...@Ma... PRIVMSG #musik :.ACTION is
back after 1d10h54m: auto-away after 120m idle.
-> PING port80c.se.quakenet.org
<- :port80c.se.quakenet.org PONG port80c.se.quakenet.org
:port80c.se.quakenet.org
<- :NDA|aKi`off!tropi@212.12.122.11 NICK :NDA|aKi
<- PING :port80c.se.quakenet.org
<- :NoFVHar!~xpapr@81.215.5.120 JOIN :#musik
<- :NoFVHar!~xpapr@81.215.5.120 QUIT :Signed off
<- ERROR :Closing Link: privmsg by port80c.se.quakenet.org (Ping timeout)
the irssi client on the snort_inline box gets this
....
09:34 -!- freddy` [fr...@su...] has quit [G-lined]
09:35 * RM`Aussie is back after 1d10h54m: auto-away after 120m idle
*** reconnect due to 300 sec server timeout
as one can see the irssi client lacks the JOIN and QUIT,
so the irssi app never got these lines, even ethreal showed us they were
on the line
gamesurge with #findscrim as spamchannel did not suffer any
disconnect, dont ask my why
and try
iptables -F
if your irssi lagmeters is growing up
irssi will get the "missing lines" and lag will go away
the new PING PONG rules show that snort_inline got the PINGs we sended
and the PINGs the Server sended, but it does not show up any PONG
before we get disconnectet ...
Nathaniel Haggard wrote "drop rules"
he described the same problem
i guess there are 2 possibilities,
- ip_queue bug
- snort_inline bug
the funny thing is if i flush the iptables, the application gets the data
so this seems a snort_inline problem
Markus
|
|
From: Victor J. <vi...@nk...> - 2004-08-08 09:05:14
|
On Sunday 08 August 2004 10:15, Markus Koetter wrote: > hi snorters > > i can reproduce this bug, so i think it should be mentioned > setup is > > debian unstable, > 2.4.20-gentoo-r5 > iptables v1.2.11 > snort_inline 2.13b > > snort is compiled from src und uses mysql as db backend > > i removed all other rulessets from snort_inline.conf and the only one > running in local.rules is > > alert tcp $HOME_NET any -> $EXTERNAL_NET any \ > (\ > msg: "irc tagged session ";\ > content: "NICK"; \ > nocase;\ > pcre:"/^NICK\.*/i";\ > classtype: bad-unknown ;\ > # resp:rst_snd;\ > sid:1000011;\ > tag: session, 12, seconds;\ > rev:4;\ > ) > > the database plugin has wrong information about tagged packets, but > thats not the real problem here > > as one can imagine reading the rule is meant to tag irc traffic > > iptables -A OUTPUT -p tcp --dport 6667 -j QUEUE > iptables -A INPUT -p tcp --sport 6667 -j QUEUE > > these rules do the work > > now we goto some ircnet and wait > we use the box running snort_inline to connect using irssi or some > other chat client > > we can spend some time checking if tagging the first 12 seconds > worked, and it worked, as mentioned before the database plugin does > not set the right SID and msg, but it loggs the packet > > after ~20 min irssi is unable to send to the irc server, and the irc > server is unable to send to me > irssi's lagmeter powers up and after 300 seconds it will reconnect > because it guesses the server has a pingtimeout > snort_inline`s console shows that the ircnet sended us that we had the > pingtimeout > > if irssis lagmeter is arounf 200 seconds, we can try a > iptables -F > to flush the QUEUE > and we wont get disconnectet > > please try this on your own box, it works with me > > here i went to some large channel in quakenet to get a constant (spam) > msg stream > i started ethereal on some other box in my hubbed network and waited > for my pingtimeout > > -> > marks stuff the snort_inline host sends > > <- > marks stuff the snort_inline host receives > > -> PING online1.no.quakenet.org > > <- :online1.no.quakenet.org PONG online1.no.quakenet.org > > :online1.no.quakenet.org > > -> PING :online1.no.quakenet.org > ... > ... > -> ERROR :Closing Link: privmsg by online1.no.quakenet.org (Ping timeout) > > as one can see he _got_ the packet > but snort_inline lost it somewhere > > now i will try this > > alert tcp $HOME_NET any -> $EXTERNAL_NET any \ > (\ > msg: "irc tagged session ";\ > content: "NICK"; \ > nocase;\ > pcre:"/^NICK\.*/i";\ > classtype: bad-unknown ;\ > # resp:rst_snd;\ > sid:1000011;\ > tag: session, 12, seconds;\ > rev:4;\ > ) > > alert tcp $HOME_NET any -> $EXTERNAL_NET any \ > (\ > msg: "irc PING";\ > content: "PING"; \ > nocase;\ > classtype: bad-unknown ;\ > # resp:rst_snd;\ > sid:1000012;\ > tag: session, 12, seconds;\ > rev:1;\ > ) > > alert tcp $HOME_NET any -> $EXTERNAL_NET any \ > (\ > msg: "irc PONG";\ > content: "PONG"; \ > nocase;\ > classtype: bad-unknown ;\ > sid:1000013;\ > rev:1;\ > ) > > iptables -A OUTPUT -p tcp --dport 6667 -j QUEUE > iptables -A INPUT -p tcp --sport 6667 -j QUEUE > > i know the 2 new rules are not that exact, but it will fit here > > i goto #musik in quakenet and > #findscrim in gamesurge > > #musik is quite idle this time, > #findscrim is some shiny color spam, i never understood what this > channel is used for, but it works for this case, he has instant > traffic > > quakenet #musik performs this way > > this is what ethereal gets > the gline is a shiny mark i guess > .... > > -> PING port80c.se.quakenet.org > <- :port80c.se.quakenet.org PONG port80c.se.quakenet.org > > :port80c.se.quakenet.org > > <- :Carny_Mailbox!~geh...@pD... JOIN :#musik > <- :[Che]!~Ch...@DM... JOIN :#musik > <- :freddy`!fr...@su... QUIT :G-lined > <- :RM`Aussie!Au...@Ma... PRIVMSG #musik :.ACTION is > back after 1d10h54m: auto-away after 120m idle. > > -> PING port80c.se.quakenet.org > <- :port80c.se.quakenet.org PONG port80c.se.quakenet.org > > :port80c.se.quakenet.org > > <- :NDA|aKi`off!tropi@212.12.122.11 NICK :NDA|aKi > <- PING :port80c.se.quakenet.org > <- :NoFVHar!~xpapr@81.215.5.120 JOIN :#musik > <- :NoFVHar!~xpapr@81.215.5.120 QUIT :Signed off > <- ERROR :Closing Link: privmsg by port80c.se.quakenet.org (Ping timeout) > > the irssi client on the snort_inline box gets this > .... > > 09:34 -!- freddy` [fr...@su...] has quit [G-lined] > 09:35 * RM`Aussie is back after 1d10h54m: auto-away after 120m idle > *** reconnect due to 300 sec server timeout > > as one can see the irssi client lacks the JOIN and QUIT, > so the irssi app never got these lines, even ethreal showed us they were > on the line > > gamesurge with #findscrim as spamchannel did not suffer any > disconnect, dont ask my why > > and try > iptables -F > if your irssi lagmeters is growing up > irssi will get the "missing lines" and lag will go away > > the new PING PONG rules show that snort_inline got the PINGs we sended > and the PINGs the Server sended, but it does not show up any PONG > before we get disconnectet ... > > > Nathaniel Haggard wrote "drop rules" > he described the same problem > > > > i guess there are 2 possibilities, > - ip_queue bug > - snort_inline bug I'm not sure this is the problem, but try to increase the stream4 timeout in snort_inline.conf. It defaults to 30 seconds which caused my msn-connections to fail. This is a known problem in snort_inline and we (William Metcalf and myself) are preparing a patch to fix this... In the meantime try to set the timeout for Stream4 to a few minutes... Hope this helps, Regards, Victor > > the funny thing is if i flush the iptables, the application gets the data > so this seems a snort_inline problem > > Markus > > > ------------------------------------------------------- > This SF.Net email is sponsored by OSTG. Have you noticed the changes on > Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, > one more big change to announce. We are now OSTG- Open Source Technology > Group. Come see the changes on the new OSTG site. www.ostg.com > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
|
From: Victor J. <vi...@nk...> - 2004-08-09 14:21:37
|
On Monday 09 August 2004 16:12, you wrote: > increasing the timeout "fixed" it > Good! I will ask William when we will release the patch! Regards, Victor > i will try the patch this evening when its not that warm in my room > > > thx > Markus |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X