[Oisf-users] Packet not dropped?

James Moe jimoe at sohnen-moe.com
Mon Nov 12 00:07:18 UTC 2018 

suricata v4.1.0
linux 4.12.14-lp150.12.16-default x86_64

  It is not clear that packets are actually being dropped.
  We use ASSP (Anti-Spam SMTP Proxy) to filter incoming email. One
instance is shown below. It appears that an undesirable packet was
discovered before the proxy and, supposedly, dropped. Then is discovered
again as the packet left the proxy.
  So <fast.log> shows the packet being dropped. <alert-debug.log>
(accurately) shows the opposite.

  Does "[Drop]" not mean that the packet is dropped (blocked)?
  Why was the packet not dropped?

Internet [23.83.215.22:48571]
 -> [192.168.69.246:25] -assp- 127.0.0.1:34280
 -> MTA [127.0.0.1:125]


11/11/2018-16:44:14.582392  [Drop] [**] [1:2260002:1] SURICATA Applayer
Detect protocol only one direction [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} 23.83.215.22:48571 ->
192.168.69.246:25

11/11/2018-16:44:14.872703  [Drop] [**] [1:2260002:1] SURICATA Applayer
Detect protocol only one direction [**] [Classification: Generic
Protocol Command Decode] [Priority: 3] {TCP} 127.0.0.1:34280 ->
127.0.0.1:125


+================
TIME:              11/11/2018-16:44:14.582392
PKT SRC:           wire/pcap
SRC IP:            23.83.215.22
DST IP:            192.168.69.246
PROTO:             6
SRC PORT:          48571
DST PORT:          25
TCP SEQ:           449678267
TCP ACK:           1531312201
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     11/11/2018-16:44:14.419934
FLOW PKTS TODST:   4
FLOW PKTS TOSRC:   2
FLOW Total Bytes:  433
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 3
FLOWINT:           "applayer.anomaly.count" => 1
PACKET LEN:        92
PACKET:
 0000  45 00 00 5C 72 1A 40 00  2D 06 E6 79 17 53 D7 16   E..\r. at . -..y.S..
 0010  C0 A8 45 F6 BD BB 00 19  1A CD 8B BB 5B 45 F8 49   ..E..... ....[E.I
 0020  80 18 00 E5 9B 1B 00 00  01 01 08 0A 0D 10 74 DF   ........ ......t.
 0030  D3 D1 8D EE 45 48 4C 4F  20 62 6F 6E 6F 62 6F 2E   ....EHLO  bonobo.
 0040  6F 61 6B 2E 72 65 6C 61  79 2E 6D 61 69 6C 63 68   oak.rela y.mailch
 0050  61 6E 6E 65 6C 73 2E 6E  65 74 0D 0A               annels.n et..
ALERT CNT:           1
ALERT MSG [00]:      SURICATA Applayer Detect protocol only one direction
ALERT GID [00]:      1
ALERT SID [00]:      2260002
ALERT REV [00]:      1
ALERT CLASS [00]:    Generic Protocol Command Decode
ALERT PRIO [00]:     3
ALERT FOUND IN [00]: PACKET
ALERT IN TX [00]:    N/A
PAYLOAD LEN:         40
PAYLOAD:
 0000  45 48 4C 4F 20 62 6F 6E  6F 62 6F 2E 6F 61 6B 2E   EHLO bon obo.oak.
 0010  72 65 6C 61 79 2E 6D 61  69 6C 63 68 61 6E 6E 65   relay.ma ilchanne
 0020  6C 73 2E 6E 65 74 0D 0A                            ls.net..

+================
TIME:              11/11/2018-16:44:14.872703
PKT SRC:           wire/pcap
SRC IP:            127.0.0.1
DST IP:            127.0.0.1
PROTO:             6
SRC PORT:          34280
DST PORT:          125
TCP SEQ:           2686885453
TCP ACK:           1410354532
FLOW:              to_server: TRUE, to_client: FALSE
FLOW Start TS:     11/11/2018-16:44:14.493624
FLOW PKTS TODST:   7
FLOW PKTS TOSRC:   4
FLOW Total Bytes:  774
FLOW IPONLY SET:   TOSERVER: TRUE, TOCLIENT: TRUE
FLOW ACTION:       DROP: FALSE
FLOW NOINSPECTION: PACKET: FALSE, PAYLOAD: FALSE, APP_LAYER: FALSE
FLOW APP_LAYER:    DETECTED: TRUE, PROTO 3
FLOWINT:           "applayer.anomaly.count" => 1
PACKET LEN:        92
PACKET:
 0000  45 00 00 5C 7C 67 40 00  40 06 C0 32 7F 00 00 01   E..\|g at . @..2....
 0010  7F 00 00 01 85 E8 00 7D  A0 26 9E 4D 54 10 4D 64   .......} .&.MT.Md
 0020  80 18 01 56 E5 C1 00 00  01 01 08 0A 74 CA 7C 90   ...V.... ....t.|.
 0030  74 CA 7B 17 45 48 4C 4F  20 62 6F 6E 6F 62 6F 2E   t.{.EHLO  bonobo.
 0040  6F 61 6B 2E 72 65 6C 61  79 2E 6D 61 69 6C 63 68   oak.rela y.mailch
 0050  61 6E 6E 65 6C 73 2E 6E  65 74 0D 0A               annels.n et..
ALERT CNT:           1
ALERT MSG [00]:      SURICATA Applayer Detect protocol only one direction
ALERT GID [00]:      1
ALERT SID [00]:      2260002
ALERT REV [00]:      1
ALERT CLASS [00]:    Generic Protocol Command Decode
ALERT PRIO [00]:     3
ALERT FOUND IN [00]: PACKET
ALERT IN TX [00]:    N/A
PAYLOAD LEN:         40
PAYLOAD:
 0000  45 48 4C 4F 20 62 6F 6E  6F 62 6F 2E 6F 61 6B 2E   EHLO bon obo.oak.
 0010  72 65 6C 61 79 2E 6D 61  69 6C 63 68 61 6E 6E 65   relay.ma ilchanne
 0020  6C 73 2E 6E 65 74 0D 0A                            ls.net..


-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181111/fb315fb0/attachment.sig>

More information about the Oisf-users mailing list