05-28-2023 11:11 PM
hello all,
i have ftd 2110 with a ssl policy applied, when i try to download anything , the download starts but sometimes it is completed and sometimes it is blacklisted by snort, my access policy is with action " allow " for any traffic coming from the vlan i am testing with, and also the ssl policy matches " don't decrypt" for the vlan i am testing with
i have tried to remove the ssl policy from the access control policy applied on the device and everything gone normally and also with higher rate, when i re apply the ssl policy the issue happens again.
the trace gives me that :
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Packet: TCP, ACK, seq 2818394131, ack 2449005002
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort id 9, NAP id 6, IPS id 0, Verdict WHITELIST
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Packet: TCP, ACK, seq 2818395511, ack 2449005002
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort id 9, NAP id 6, IPS id 0, Verdict WHITELIST
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Firewall: starting AC rule matching, zone 5 -> 1, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999999, icmpType 26, icmpCode 187
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Packet: TCP, ACK, seq 2818396891, ack 2449005002
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort: processed decoder alerts or actions queue, drop
192.168.121.16-49942 > 162.19.57.41-443 6 AS 1-1 I 9 deleting firewall session flags = 0x38003, fwFlags = 0x1102
192.168.121.16-49942 > 162.19.57.41-443 6 AS 1-1 I 9 Logging EOF as part of session delete with rule_id = 268470305 ruleAction = 2 ruleReason = 0
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 Snort id 9, NAP id 6, IPS id 0, Verdict BLACKLIST
162.19.57.41-443 - 192.168.121.16-49942 6 AS 1-1 CID 0 ===> Blocked by Snort
Verdict reason is sent to DAQ
anyone worked with tac on this issue and is resolved ?
with regards
05-29-2023 12:42 AM - edited 05-29-2023 12:44 AM
Based on the provided trace, it appears that the downloads are being blocked by Snort, resulting in intermittent completion of the download process. Here's a breakdown of the trace:
The initial packets are ACKnowledgment packets indicating a successful connection setup between the client (192.168.121.16) and the server (162.19.57.41) on TCP port 443.
Snort initially identifies the packets with Snort ID 9 and NAP ID 6 and gives a verdict of WHITELIST, indicating that the traffic is allowed.
However, at a later stage, when the firewall starts AC (Access Control) rule matching, Snort processes decoder alerts or actions queue and determines that the traffic should be dropped. The reason for the drop is not explicitly mentioned in the provided trace.
The session is then deleted, and Snort gives a verdict of BLACKLIST, indicating that the traffic is blocked.
The final line indicates that the verdict reason is sent to the DAQ (Data Acquisition) system for further processing.
Try to fine Tune the Snort Rule
Snort Rule Tuning, you can tune the Snort rules to adjust the detection thresholds or add exclusions to allow the specific traffic that is being erroneously blocked.
05-29-2023 12:52 AM
dear Sheraz
thank you for your reply
please could you tell me the way to fine tune the snort rule?
05-29-2023 02:54 AM
05-29-2023 02:57 AM - edited 05-29-2023 02:59 AM
Is this FTD is stand-alone FDM or Managed by FMC? what version are they?
Can you enable additional logging and debugging options on the FTD device to gather more detailed information about the dropped packets. Analyzing the logs may provide insights into the specific reason for the drop and help in troubleshooting the issue.
05-29-2023 02:54 AM
I see one case before and I think it is same, the download some time ask Hostname via DNS for site that in Blacklist,
so check the DNS traffic see what is site request during the download, allow it and I think your issue will be solve.
10-28-2024 12:42 PM
Hello,
I am experiencing this snort blacklist issue in my FTD in AWS, strange thing is this FTD is not licensed for IPS, yet I am getting this in packet capture-
Drop-reason: (snort-blacklist) Packet is blacklisted by snort
Not sure what to do now
10-28-2024 01:24 PM
Hi,
Well, just whitelist it
Best,
Cristian.
10-28-2024 07:48 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide