07-24-2014 09:46 AM
Some packets from exploit attempts reach target hosts, although the intrusion events for those attempts show the related packets as dropped.
07-24-2014 09:52 AM
An intrusion policy of a FireSIGHT System runs in post-ACK mode by default. This means that data in reassembled streams (such as HTTP streams) are not matched against rules until an ACK for the data is received from the server. The server has already seen an HTTP request before the system alerts on it. The rest of the session will be blocked, but the malicious GET has already been processed.
To modify this behavior, the Inline Normalization feature needs to be enabled on the intrusion policy, and the options Normalize TCP and Normalize TCP Payload need to be turned on. Please read the following document to learn more about the Post-Acknowledgement and Pre-Acknowledgement Inspection by Inline Normalization preprocessor.
In addition, if you are using a load balancer as a front end to your servers, your load balancer may be just looking at the first packet of a request and logging it based on that only. However, since Snort uses Protocol Aware Flushing (PAF), it does not alert or drop until it sees all of the packets of an HTTP request. If the load balancer is seeing only the first packet of a multi-packet request of which Snort has not dropped anything because the subsequent packets never made it to Snort, it may log the request inaccurately. Eventually, the sessions will get pruned because they have not seen data, and at that time the event will trigger because Snort will flush the rest of the stream. The event that gets generated will have the timestamp of the original data, not the time that Snort actually generated the event.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide