Metaflows cutting certain traffic

28 views
Skip to first unread message

Jaime Nebrera

unread,
Feb 13, 2012, 6:32:28 AM2/13/12
to meta...@googlegroups.com
  Hi all,

  We have noticed a weird behaviour when we use metaflows.

  When using metaflows as IPS and enabling SSL or SSH preprocessor, the sytems cuts all encrypted traffic instead of letting it go through after a certain ammount of traffic.

  Actually, the problem is more or less like this (verified with SSH & SSL preprocessor):

  * The problem appears and is confirmed with SSH and SSL preprocessor. After further analysis, I believe could happen also with other proeprocessors that establish a flow doesnt need further analysis (but not an accept nor drop)

  * Either way, in both cases we have disabled all rules, including preprocessor rules to discard "noise" from other stuff.

  * With SSH preprocessor, we are allowed to stablish how many bytes are to be analyzed before forgetting about the flow. In our testing, the bigger we make this buffer, the longer it allows you to work with ssh, but after that limit is reached, the session is cutted without further notice

  * The same happens with SSL preprocesor. As you know, this preprocessor verifies that initial certificate negotiation is valid, but after that it just forgets about it as snort is unable to decipher traffic. Well, if we try to connect to any SSL enabled site as gmail the sessions never goes through

  * In both cases, if we disable the preprocessors the traffic goes on

  * I believe the problem would arise too with other preprocessors as HTTP, when you for example establish a limit of 300Kb in any direction. I guess long download sessions will be cutted instead of "forgotten" (we have not tested this and are unable to do it right now)

  Further information:

Linux 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64 x86_64 x86_64 GNU/Linux (CentOS 6.2 64 bits)
snort-2.9.2.1
daq-0.5    (metaflow)
pfring       (metaflow)

  The command we use to start snort:

snort --pid-path /var/run --create-pidfile -i eth2:eth3 -c /opt/rb/etc/snort/snort.conf -l /var/log/snort/bpbr0/instance-1 --daq-dir /opt/rb/lib/daq/ --daq pfring --daq-mode inline -Q --daq-var clusterid=10

  Any idea?

  Kind regards
Reply all
Reply to author
Forward
0 new messages