cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2313
Views
2
Helpful
8
Replies

ftd snort is blacklisting download traffic

ASUHIT3834770
Level 1
Level 1

hello all,

i have ftd 2110 with a ssl policy applied, when i try to download anything , the download starts but sometimes it is completed and sometimes it is blacklisted by snort, my access policy is with action " allow " for any traffic coming from the vlan i am testing with, and also the ssl policy matches " don't decrypt" for the vlan i am testing with

i have tried to remove the ssl policy from the access  control policy applied on the device and everything gone normally and also with higher rate, when i re apply the ssl policy the issue happens again.

the trace gives me that :

162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Packet: TCP, ACK, seq 2818394131, ack 2449005002
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort id 9, NAP id 6, IPS id 0, Verdict WHITELIST

162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Packet: TCP, ACK, seq 2818395511, ack 2449005002
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort id 9, NAP id 6, IPS id 0, Verdict WHITELIST

162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Firewall: starting AC rule matching, zone 5 -> 1, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999999, icmpType 26, icmpCode 187
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Packet: TCP, ACK, seq 2818396891, ack 2449005002
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort: processed decoder alerts or actions queue, drop
192.168.121.16-49942 > 162.19.57.41-443 6 AS 1-1 I 9 deleting firewall session flags = 0x38003, fwFlags = 0x1102
192.168.121.16-49942 > 162.19.57.41-443 6 AS 1-1 I 9 Logging EOF as part of session delete with rule_id = 268470305 ruleAction = 2 ruleReason = 0
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort id 9, NAP id 6, IPS id 0, Verdict BLACKLIST
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 ===> Blocked by Snort
Verdict reason is sent to DAQ

 

anyone worked with tac on this issue and is resolved ?

with regards

8 Replies 8

Based on the provided trace, it appears that the downloads are being blocked by Snort, resulting in intermittent completion of the download process. Here's a breakdown of the trace:

The initial packets are ACKnowledgment packets indicating a successful connection setup between the client (192.168.121.16) and the server (162.19.57.41) on TCP port 443.
Snort initially identifies the packets with Snort ID 9 and NAP ID 6 and gives a verdict of WHITELIST, indicating that the traffic is allowed.
However, at a later stage, when the firewall starts AC (Access Control) rule matching, Snort processes decoder alerts or actions queue and determines that the traffic should be dropped. The reason for the drop is not explicitly mentioned in the provided trace.
The session is then deleted, and Snort gives a verdict of BLACKLIST, indicating that the traffic is blocked.
The final line indicates that the verdict reason is sent to the DAQ (Data Acquisition) system for further processing.

Try to fine Tune the Snort Rule

Snort Rule Tuning, you can tune the Snort rules to adjust the detection thresholds or add exclusions to allow the specific traffic that is being erroneously blocked.

please do not forget to rate.

dear Sheraz

thank you for your reply

please could you tell me the way to fine tune the snort rule? 

have to look on these Link and This 

please do not forget to rate.

Is this FTD is stand-alone FDM or Managed by FMC? what version are they?

Can you enable additional logging and debugging options on the FTD device to gather more detailed information about the dropped packets. Analyzing the logs may provide insights into the specific reason for the drop and help in troubleshooting the issue.

please do not forget to rate.

I see one case before and I think it is same, the download some time ask Hostname via DNS for site that in Blacklist, 
so check the DNS traffic see what is site request during the download, allow it and I think your issue will be solve.

engineer467
Level 1
Level 1

Hello,

I am experiencing this snort blacklist issue in my FTD in AWS, strange thing is this FTD is not licensed for IPS, yet I am getting this in packet capture-

Drop-reason: (snort-blacklist) Packet is blacklisted by snort

Not sure what to do now

Hi,

   Well, just whitelist it Even if FTD is not licensed for IPS, Snort is still active for other functions than IPS.

Best,

Cristian.

Please suggest How do i whitelist it?