Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1653
Views
2
Helpful
5
Replies

ftd snort is blacklisting download traffic

ASUHIT3834770
Level 1
Level 1

‎05-28-2023 11:11 PM

hello all,

i have ftd 2110 with a ssl policy applied, when i try to download anything , the download starts but sometimes it is completed and sometimes it is blacklisted by snort, my access policy is with action " allow " for any traffic coming from the vlan i am testing with, and also the ssl policy matches " don't decrypt" for the vlan i am testing with

i have tried to remove the ssl policy from the access  control policy applied on the device and everything gone normally and also with higher rate, when i re apply the ssl policy the issue happens again.

the trace gives me that :

162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Packet: TCP, ACK, seq 2818394131, ack 2449005002
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort id 9, NAP id 6, IPS id 0, Verdict WHITELIST

162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Packet: TCP, ACK, seq 2818395511, ack 2449005002
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort id 9, NAP id 6, IPS id 0, Verdict WHITELIST

162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Firewall: starting AC rule matching, zone 5 -> 1, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999999, icmpType 26, icmpCode 187
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Packet: TCP, ACK, seq 2818396891, ack 2449005002
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort: processed decoder alerts or actions queue, drop
192.168.121.16-49942 > 162.19.57.41-443 6 AS 1-1 I 9 deleting firewall session flags = 0x38003, fwFlags = 0x1102
192.168.121.16-49942 > 162.19.57.41-443 6 AS 1-1 I 9 Logging EOF as part of session delete with rule_id = 268470305 ruleAction = 2 ruleReason = 0
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort id 9, NAP id 6, IPS id 0, Verdict BLACKLIST
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 ===> Blocked by Snort
Verdict reason is sent to DAQ

 

anyone worked with tac on this issue and is resolved ?

with regards

Labels:
5 Replies 5

Sheraz.Salim
VIP
VIP

‎05-29-2023 12:42 AM - edited ‎05-29-2023 12:44 AM

Based on the provided trace, it appears that the downloads are being blocked by Snort, resulting in intermittent completion of the download process. Here's a breakdown of the trace:

The initial packets are ACKnowledgment packets indicating a successful connection setup between the client (192.168.121.16) and the server (162.19.57.41) on TCP port 443.
Snort initially identifies the packets with Snort ID 9 and NAP ID 6 and gives a verdict of WHITELIST, indicating that the traffic is allowed.
However, at a later stage, when the firewall starts AC (Access Control) rule matching, Snort processes decoder alerts or actions queue and determines that the traffic should be dropped. The reason for the drop is not explicitly mentioned in the provided trace.
The session is then deleted, and Snort gives a verdict of BLACKLIST, indicating that the traffic is blocked.
The final line indicates that the verdict reason is sent to the DAQ (Data Acquisition) system for further processing.

Try to fine Tune the Snort Rule

Snort Rule Tuning, you can tune the Snort rules to adjust the detection thresholds or add exclusions to allow the specific traffic that is being erroneously blocked.

please do not forget to rate.

ASUHIT3834770
Level 1
Level 1
In response to Sheraz.Salim

‎05-29-2023 12:52 AM

dear Sheraz

thank you for your reply

please could you tell me the way to fine tune the snort rule? 

0 Helpful

Sheraz.Salim
VIP
VIP
In response to ASUHIT3834770

‎05-29-2023 02:54 AM

have to look on these Link and This 

please do not forget to rate.
0 Helpful

Sheraz.Salim
VIP
VIP
In response to ASUHIT3834770

‎05-29-2023 02:57 AM - edited ‎05-29-2023 02:59 AM

Is this FTD is stand-alone FDM or Managed by FMC? what version are they?

Can you enable additional logging and debugging options on the FTD device to gather more detailed information about the dropped packets. Analyzing the logs may provide insights into the specific reason for the drop and help in troubleshooting the issue.

please do not forget to rate.
0 Helpful

MHM Cisco World
VIP
VIP

‎05-29-2023 02:54 AM

I see one case before and I think it is same, the download some time ask Hostname via DNS for site that in Blacklist, 
so check the DNS traffic see what is site request during the download, allow it and I think your issue will be solve.

0 Helpful
Customers Also Viewed These Support Documents