[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] {Disarmed} Blocking HTTP traffic
From: Yehor Velykozhon via Snort-users <snort-users () lists ! snort ! org>
Date: 2021-07-30 14:19:12
Message-ID: A9C0BAD3-D885-4300-8B09-A6C4902C0452 () softserveinc ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hello, Alessandro Pisani!
Looks like you have the similar problem, try to check it. \
https://github.com/snort3/snort3/issues/193
Thanks, Yehor
From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of Alessandro \
Pisani via Snort-users <snort-users@lists.snort.org> Reply to: Alessandro Pisani \
<alessandropisani19@gmail.com>
Date: Thursday, 29 July 2021 at 23:53
To: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: {Disarmed} [Snort-users] Blocking HTTP traffic
CAUTION: This email originated from outside the organization. Do not click links or \
open attachments unless you recognize the sender and know the content is safe. Hi \
everybody,
I hope this email finds you well.
I am experimenting with Snort++ and I have troubles in using the React mode with the \
AFPACKET daq module. I have been able to reject TCP traffic using the reject action \
but I am not able to block in any way HTTP traffic neither with reject nor display an \
HTML page with react.
Attached you can find my configuration file. The command I run from command line is:
snort -c snort.lua -i eth0:lo -Q -A "alert_fast" --daq afpacket -k none -s 65535
I am running snort using the Dockerfile for Snort3_extra and I am root. What happens \
is that when I try to do for example:
curl http://www.example.com
I would expect as a result Snort3 to display my block.html page but I receive the \
HTTP response instead. The rules are loaded correctly and the traffic alerted \
correctly:
--------------------------------------------------
rule counts
total rules loaded: 1
text rules: 1
option chains: 1
chain headers: 1
--------------------------------------------------
ips policies rule stats
id loaded shared enabled file
0 1 0 1 snort.lua
--------------------------------------------------
service rule counts to-srv to-cli
http: 1 1
http2: 1 1
total: 2 2
--------------------------------------------------
afpacket DAQ configured to inline.
Commencing packet processing
++ [0] eth0:lo
07/28-09:57:42.639994 [drop] [**] [1:2:0] "hostile connection" [**] [Priority: 0] \
{TCP} MailScanner warning: numerical links are often malicious: \
172.17.0.3:52772<http://172.17.0.3:52772> -> MailScanner has detected a possible \
fraud attempt from "93.184.216.34" claiming to be \
93.184.216.34:80<http://93.184.216.34:80>
Thank you for any help you can provide me!
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Menlo;
panose-1:2 11 6 9 3 8 4 2 2 4;}
@font-face
{font-family:"Helvetica Neue Light";
panose-1:2 0 4 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.gmail-apple-converted-space
{mso-style-name:gmail-apple-converted-space;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:8.5pt;font-family:Menlo;color:black">Hello, Alessandro \
Pisani!<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:8.5pt;font-family:Menlo;color:black"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black">Looks \
like you have the similar problem, try to check it. \
https://github.com/snort3/snort3/issues/193<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:8.5pt;font-family:Menlo;color:black"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black">Thanks, \
Yehor<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="mso-fareast-language:EN-US"><o:p> </o:p></span></p> <div \
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"> <p \
class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: \
</span></b><span style="font-size:12.0pt;color:black">Snort-users \
<snort-users-bounces@lists.snort.org> on behalf of Alessandro Pisani via \
Snort-users <snort-users@lists.snort.org><br> <b>Reply to: </b>Alessandro \
Pisani <alessandropisani19@gmail.com><br> <b>Date: </b>Thursday, 29 July 2021 \
at 23:53<br> <b>To: </b>"snort-users@lists.snort.org" \
<snort-users@lists.snort.org><br> <b>Subject: </b>{Disarmed} [Snort-users] \
Blocking HTTP traffic<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" \
align="left"> <tbody>
<tr>
<td style="background:#BBA555;padding:5.25pt 5.5pt 5.25pt 1.5pt"></td>
<td width="100%" style="width:100.0%;background:#FFE599;padding:5.25pt 3.75pt 5.25pt \
11.25pt"> <div>
<p style="mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;ms \
o-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly">
<b><span style="font-family:"Arial",sans-serif;color:#212121">CAUTION:</span></b><span \
style="font-family:"Arial",sans-serif;color:#212121"> This email originated \
from outside the organization. Do not click links or open attachments unless you \
recognize the sender and know the content is safe. </span><o:p></o:p></p>
</div>
</td>
</tr>
</tbody>
</table>
<div>
<div>
<p class="MsoNormal"><span style="color:white">Hi everybody, </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I hope this email finds you well.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I am experimenting with Snort++ and I have troubles in using the \
React mode with the AFPACKET daq module. I have been able to reject TCP traffic using \
the reject action but I am not able to block in any way HTTP traffic neither with \
reject nor display an HTML page with react.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Attached you can find my configuration file. The command I run \
from command line is:<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">snort -c snort.lua -i eth0:lo \
-Q -A "alert_fast" --daq afpacket -k none -s 65535<o:p></o:p></span></p> <p \
style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"><br> <br>
<o:p></o:p></span></p>
<p style="margin:0cm;font-stretch:normal">I am running snort using the Dockerfile for \
Snort3_extra and I am root. What happens is that when I try to do for \
example:<o:p></o:p></p> <p style="margin:0cm;font-stretch:normal"><br>
<br>
<o:p></o:p></p>
<p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">curl <a \
href="http://www.example.com">http://www.example.com</a><o:p></o:p></span></p> <p \
style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"><br> <br>
<o:p></o:p></span></p>
<p style="margin:0cm;font-stretch:normal">I would expect as a result Snort3 to \
display my block.html page but I receive the HTTP response instead. The rules are \
loaded correctly and the traffic alerted correctly:<o:p></o:p></p> <p \
style="margin:0cm;font-stretch:normal"><br> <br>
<o:p></o:p></p>
<p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">--------------------------------------------------<o:p></o:p></span></p>
<p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">rule \
counts<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
class="gmail-apple-converted-space"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"> \
</span></span><span style="font-size:11.5pt;font-family:Menlo;color:black">total \
rules loaded: 1<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
class="gmail-apple-converted-space"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"> \
</span></span><span \
style="font-size:11.5pt;font-family:Menlo;color:black">text rules: \
1<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
class="gmail-apple-converted-space"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"> \
</span></span><span \
style="font-size:11.5pt;font-family:Menlo;color:black">option chains: \
1<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
class="gmail-apple-converted-space"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"> \
</span></span><span \
style="font-size:11.5pt;font-family:Menlo;color:black">chain headers: \
1<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">--------------------------------------------------<o:p></o:p></span></p>
<p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">ips policies rule \
stats<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
class="gmail-apple-converted-space"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"> \
</span></span><span \
style="font-size:11.5pt;font-family:Menlo;color:black">id<span \
class="gmail-apple-converted-space"> </span>loaded<span \
class="gmail-apple-converted-space"> </span>shared enabled<span \
class="gmail-apple-converted-space"> </span>file<o:p></o:p></span></p>
<p style="margin:0cm;font-stretch:normal"><span \
class="gmail-apple-converted-space"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"> \
</span></span><span \
style="font-size:11.5pt;font-family:Menlo;color:black">0 <span \
class="gmail-apple-converted-space"> </span>1 <span \
class="gmail-apple-converted-space"> </span>0 <span \
class="gmail-apple-converted-space"> </span>1<span \
class="gmail-apple-converted-space"> \
</span>snort.lua<o:p></o:p></span></p> <p \
style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">--------------------------------------------------<o:p></o:p></span></p>
<p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">service rule counts<span \
class="gmail-apple-converted-space"> \
</span>to-srv<span class="gmail-apple-converted-space"> \
</span>to-cli<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
class="gmail-apple-converted-space"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"> \
</span></span><span \
style="font-size:11.5pt;font-family:Menlo;color:black">http:<span \
class="gmail-apple-converted-space"> </span>1 <span \
class="gmail-apple-converted-space"> \
</span>1<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
class="gmail-apple-converted-space"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"> \
</span></span><span \
style="font-size:11.5pt;font-family:Menlo;color:black">http2:<span \
class="gmail-apple-converted-space"> </span>1 <span \
class="gmail-apple-converted-space"> \
</span>1<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
class="gmail-apple-converted-space"><span \
style="font-size:11.5pt;font-family:Menlo;color:black"> \
</span></span><span \
style="font-size:11.5pt;font-family:Menlo;color:black">total:<span \
class="gmail-apple-converted-space"> </span>2 <span \
class="gmail-apple-converted-space"> \
</span>2<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">--------------------------------------------------<o:p></o:p></span></p>
<p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">afpacket DAQ configured to \
inline.<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">Commencing packet \
processing<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">++ [0] \
eth0:lo<o:p></o:p></span></p> <p style="margin:0cm;font-stretch:normal"><span \
style="font-size:11.5pt;font-family:Menlo;color:black">07/28-09:57:42.639994 [drop] \
[**] [1:2:0] "hostile connection" [**] [Priority: 0] {TCP} <a \
href="http://172.17.0.3:52772"><b><span style="color:red">MailScanner warning: \
numerical links are often malicious:</span></b> 172.17.0.3:52772</a> -> <a \
href="http://93.184.216.34:80"><b><span style="color:red">MailScanner has detected a \
possible fraud attempt from "93.184.216.34" claiming to be</span></b> \
93.184.216.34:80</a><o:p></o:p></span></p> <p \
style="margin:0cm;font-stretch:normal"><br> <br>
<o:p></o:p></p>
<p style="margin:0cm;font-stretch:normal">Thank you for any help you can provide \
me!<o:p></o:p></p> </div>
</div>
</div>
</div>
</body>
</html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
--===============8272547572601671618==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic