Snort mailing list archives
Re: snort seems to stop working after first hit of drop rule
From: "Russ Combs \(rucombs\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Sat, 22 Feb 2020 18:29:41 +0000
Hey Stefan, When you say all traffic on UDP blocked, are you changing the source or destination addresses or ports between attempts? I ask because both of your alerts show the same 4-tuple. Typically the source port would be ephemeral and change each time. What happens if you wait 60 seconds and send more of the same traffic? Snort should be blocking specific 4-tuples, not everything. And the block should time out after 30 seconds (default config) and allow the 4-tuple to pass again. Also, that’s an ancient version of Snort. For best results, download the source from snort.org and build that. Russ From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Stefan Mayer <stefan.mayer () usaneers de> Date: Saturday, February 22, 2020 at 8:07 AM To: "snort-sigs () lists snort org" <snort-sigs () lists snort org> Subject: [Snort-sigs] snort seems to stop working after first hit of drop rule Hi everyone. I am using ubuntu 18.04 lts, and also the latest snort version from apt-get, Version 2.9.7.0 GRE (Build 149). It is running inline, calling /usr/sbin/snort -A console -Q -c /etc/snort/snort.conf -i eno1:enp3s0 -N I set up the snort.conf, setting $HOME_NET to 10.10.10.0/25 and disabling all rules except local.rules, with the following content: alert udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;) The result is: 02/21-18:11:48.115016 [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 -> 10.10.10.16:30501 At the receiving end, the packets still arrive as they are supposed to. So far, so good. After changing the rule to drop udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;) The result is: 02/21-18:12:42.978438 [Drop] [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 -> 10.10.10.16:30501 Once. For the first packet that matches. After that, the traffic on udp stops arriving at the target, the only thing still passing the bridge is a ping. All udp traffic, either matching the rule or missing it, is lost, until I restart snort. Changing the rule to sdrop does not help, either. How can I resolve this issue? Thanks. Stefan
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 27)
- <Possible follow-ups>
- Re: snort seems to stop working after first hit of drop rule Russ Combs (rucombs) via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 24)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)