[Oisf-users] Suricata + ipfw + unwanted block

Victor Julien lists at inliniac.net
Mon Oct 7 09:22:15 UTC 2013 

On 10/07/2013 10:46 AM, Theron ZORBAS wrote:
> Hello,
> 
> I'm using Suricata version 1.4.6 RELEASE under OpenBSD 5.4 amd64 via ipfw.
> I've diverted outgoing web requests on my external interface:
> pass out log quick on vlan100 proto tcp from (vlan100) to any port = 80
> flags S/SA scrub (reassemble tcp) divert-packet port 701
> pass out log quick on vlan100 proto tcp from (vlan100) to any port = 443
> flags S/SA scrub (reassemble tcp) divert-packet port 701
> 
> I can successfully see the traffic and can block with testing rules.
> But i've realized that Suricata is blocking some extra requests. Because
> of this blocking there is performance looses:
> You have to know that Suricata is blocking even when it has no rules.
> Here is a sample from drop.log (but has no log to fast.log with these
> blocks) (if a rules matched it logs to fast.log but these unwanted
> blocks only written to drop.log)
>  
> O=TCP SPT=443 DPT=58619 SEQ=2804935695 ACK=2371747804 WINDOW=296 ACK PSH
> FIN RES=0x00 URGP=0
> 10/07/2013-11:39:01.632786: IN= OUT= SRC=192.168.100.100
> DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=17666 PROTO=TCP SPT=35725
> DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:01.727115: IN= OUT= SRC=199.16.156.102 DST=10.10.10.34
> LEN=40 TOS=0x00 TTL=47 ID=27173 PROTO=TCP SPT=443 DPT=58835
> SEQ=2348162281 ACK=3955361904 WINDOW=58 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:01.767528: IN= OUT= SRC=192.168.100.100
> DST=85.111.27.167 LEN=40 TOS=0x00 TTL=64 ID=8219 PROTO=TCP SPT=33639
> DPT=80 SEQ=1839439439 ACK=3038632221 WINDOW=0 ACK RST RES=0x00 URGP=0
> 10/07/2013-11:39:02.781027: IN= OUT= SRC=199.16.156.102 DST=10.10.10.34
> LEN=40 TOS=0x00 TTL=47 ID=27175 PROTO=TCP SPT=443 DPT=58835
> SEQ=2348162281 ACK=3955361904 WINDOW=58 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:03.127516: IN= OUT= SRC=192.168.100.100
> DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=61475 PROTO=TCP SPT=35725
> DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:06.127572: IN= OUT= SRC=192.168.100.100
> DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=12954 PROTO=TCP SPT=35725
> DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:07.638406: IN= OUT= SRC=31.13.81.1 DST=10.10.10.34
> LEN=162 TOS=0x00 TTL=84 ID=13321 PROTO=TCP SPT=443 DPT=58690
> SEQ=4254779218 ACK=3242616673 WINDOW=137 ACK PSH FIN RES=0x00 URGP=0
> 10/07/2013-11:39:08.399823: IN= OUT= SRC=199.16.156.230 DST=10.10.10.34
> LEN=108 TOS=0x00 TTL=47 ID=30737 PROTO=TCP SPT=443 DPT=58706
> SEQ=494824062 ACK=1570154700 WINDOW=115 ACK PSH FIN RES=0x00 URGP=0
> 10/07/2013-11:39:08.736707: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34
> LEN=40 TOS=0x00 TTL=57 ID=44554 PROTO=TCP SPT=443 DPT=58833
> SEQ=3355923965 ACK=3163237138 WINDOW=262 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:08.745750: IN= OUT= SRC=199.16.156.230 DST=10.10.10.34
> LEN=40 TOS=0x00 TTL=47 ID=58908 PROTO=TCP SPT=443 DPT=58824
> SEQ=186188950 ACK=3184862903 WINDOW=62 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:09.207038: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34
> LEN=67 TOS=0x00 TTL=57 ID=44555 PROTO=TCP SPT=443 DPT=58833
> SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0
> 10/07/2013-11:39:10.167096: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34
> LEN=67 TOS=0x00 TTL=57 ID=44556 PROTO=TCP SPT=443 DPT=58833
> SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0
> 10/07/2013-11:39:10.280290: IN= OUT= SRC=173.194.113.65 DST=10.10.10.34
> LEN=40 TOS=0x00 TTL=55 ID=14985 PROTO=TCP SPT=443 DPT=58684
> SEQ=489181165 ACK=814232276 WINDOW=661 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:10.555450: IN= OUT= SRC=199.16.156.230 DST=10.10.10.34
> LEN=108 TOS=0x00 TTL=47 ID=64942 PROTO=TCP SPT=443 DPT=58823
> SEQ=2184787872 ACK=2439587835 WINDOW=136 ACK PSH FIN RES=0x00 URGP=0
> 10/07/2013-11:39:10.857528: IN= OUT= SRC=192.168.100.100
> DST=85.111.27.166 LEN=40 TOS=0x00 TTL=64 ID=25578 PROTO=TCP SPT=16044
> DPT=80 SEQ=4286671192 ACK=2754483115 WINDOW=0 ACK RST RES=0x00 URGP=0
> 10/07/2013-11:39:11.005811: IN= OUT= SRC=173.194.112.193 DST=10.10.10.34
> LEN=40 TOS=0x00 TTL=55 ID=59883 PROTO=TCP SPT=443 DPT=58685
> SEQ=2604475573 ACK=1338761892 WINDOW=661 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:12.087140: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34
> LEN=67 TOS=0x00 TTL=57 ID=44557 PROTO=TCP SPT=443 DPT=58833
> SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0
> 10/07/2013-11:39:12.127531: IN= OUT= SRC=192.168.100.100
> DST=66.196.66.213 LEN=52 TOS=0x00 TTL=64 ID=8958 PROTO=TCP SPT=35725
> DPT=80 SEQ=3540599647 ACK=17933725 WINDOW=2048 ACK FIN RES=0x00 URGP=0
> 10/07/2013-11:39:15.937229: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34
> LEN=67 TOS=0x00 TTL=57 ID=44558 PROTO=TCP SPT=443 DPT=58833
> SEQ=3355923938 ACK=3163237138 WINDOW=262 ACK PSH FIN RES=0x00 URGP=0
> 10/07/2013-11:39:16.369792: IN= OUT= SRC=68.232.35.139 DST=10.10.10.34
> LEN=67 TOS=0x00 TTL=57 ID=59813 PROTO=TCP SPT=443 DPT=58620
> SEQ=4064550715 ACK=3904868233 WINDOW=296 ACK PSH FIN RES=0x00 URGP=0
> 10/07/2013-11:39:17.927544: IN= OUT= SRC=192.168.100.100
> DST=85.111.27.167 LEN=40 TOS=0x00 TTL=64 ID=27887 PROTO=TCP SPT=2623
> DPT=80 SEQ=2600092122 ACK=318670551 WINDOW=0 ACK RST RES=0x00 URGP=0
> 
> 
> Thanks for your help.
> --
> Theron ZORBAS
> 
> Note: 
> stream:
> checksum-validation: no
> inline: yes

The above is a result of the "inline: yes" option. In this case the
stream engine triggers drops on some packets, mostly retransmissions
with different data. You could try enabling the stream event rules to
see what these say about it.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list