Re: snort3: reject rule problem

["Russ Combs \(rucombs\) via Snort-devel" <snort-devel () lists snort org>]

That’s working as expected.  You aren’t getting alerts because you aren’t getting packets.  If you want to alert on 
each one and block them individually, don’t send the active response.

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Meridoff via Snort-devel <snort-devel () lists 
snort org>
Reply-To: Meridoff <oagvozd () gmail com>
Date: Tuesday, October 1, 2019 at 1:27 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: Re: [Snort-devel] snort3: reject rule problem

I use IPS NFQ mode.
1. My config  (only important things showed):

snort = { ["-e"] = true, ["-M"] = true, ["--create-pidfile"] = true, ["-z"] = 0, ["-Q"]=true}
ips = { enable_builtin_rules = false, mode="inline" }
wizard = default_wizard
snort["-z"]=1
alert_fast = {file=true}
stream={}
stream_icmp={}
stream_ip={}
stream_tcp={}
reject={}
reject.control="port"
ips.rules = [[
                include /var/cache/m.rules
]]

m.rules:

drop icmp 192.168.33.10 any -> any any ( gid:8000; msg:"icmp"; sid:1;  )

Sending 4 pings , have in alert log 4 entries and packets dropped succesfully:
19/10/01-04:08:08.089543 [drop] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214
19/10/01-04:08:09.097047 [drop] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214
19/10/01-04:08:10.105488 [drop] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214
19/10/01-04:08:11.113519 [drop] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214

2. Now I change only 1 thing: the action of rule to "reject":

reject  icmp 192.168.33.10 any -> any any ( gid:8000; msg:"icmp"; sid:1;  )

Sending pings:
zzz@host:~$ ping 192.168.33.214
PING 192.168.33.214 (192.168.33.214) 56(84) bytes of data.
From 192.168.33.214 icmp_seq=1 Destination Port Unreachable   -- It is OK, Active worked!
^C
--- 192.168.33.214 ping statistics ---
6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 4999ms  -- 6 Pings dropped.

But what we see in alert log:

19/10/01-04:09:40.194939 [reset] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214

Only 1 alert message.

Okey, I wait for some time (more 1 minute) and send pings again: they dropped and NO new entries in alert log.

3. If I remove stream_ip and stream_icmp inspectors: all Ok, for each dropped ping there are entries in alert.log.

ping 192.168.33.214
PING 192.168.33.214 (192.168.33.214) 56(84) bytes of data.
From 192.168.33.214 icmp_seq=1 Destination Port Unreachable
From 192.168.33.214 icmp_seq=2 Destination Port Unreachable
From 192.168.33.214 icmp_seq=3 Destination Port Unreachable
From 192.168.33.214 icmp_seq=4 Destination Port Unreachable
From 192.168.33.214 icmp_seq=5 Destination Port Unreachable

Alert.log:
19/10/01-04:15:40.535491 [reset] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214
19/10/01-04:15:41.534852 [reset] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214
19/10/01-04:15:42.535242 [reset] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214
19/10/01-04:15:43.535235 [reset] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214
19/10/01-04:15:44.535043 [reset] [**] [8000:1:0] "icmp" [**] [Priority: 0] {ICMP} 192.168.33.10 -> 192.168.33.214







вт, 1 окт. 2019 г. в 19:57, Steven Baigal (sbaigal) <sbaigal () cisco com<mailto:sbaigal () cisco com>>:
active response needs inline mode, add -Q to command line.
If running tcp, add normalizer = { tcp = { ips = true, }, }
If using pcap test for inline mode, use -Q --daq dump --daq-var load-mode=read-file


From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
"Russ Combs (rucombs) via Snort-devel" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Reply-To: "Russ Combs (rucombs)" <rucombs () cisco com<mailto:rucombs () cisco com>>
Date: Tuesday, October 1, 2019 at 12:33 PM
To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>, "snort-devel () lists snort org<mailto:snort-devel () 
lists snort org>" <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Subject: Re: [Snort-devel] snort3: reject rule problem

What happens if you disable the active responses?  Do you get multiple alerts?  It seems like the active response is 
working.

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
Meridoff via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Reply-To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>
Date: Tuesday, October 1, 2019 at 12:07 PM
To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>>
Subject: Re: [Snort-devel] snort3: reject rule problem

> > That is per design – the alert kicks off the active responses.  The alert is logged, but the responses are not.
I have many pings so it must be many alerts, but it's only one alert for pings, when active response is ON.
Is it normanl ?

вт, 1 окт. 2019 г. в 17:42, Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>:
I have many pings so it must be many alerts, but it's only one, when active response is ON.
Is it normanl ?

чт, 26 сент. 2019 г. в 17:41, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>>:
That is per design – the alert kicks off the active responses.  The alert is logged, but the responses are not.

From: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>
Date: Thursday, September 26, 2019 at 10:25 AM
To: "Russ Combs (rucombs)" <rucombs () cisco com<mailto:rucombs () cisco com>>
Subject: Re: [Snort-devel] snort3: reject rule problem

Thanks, it's became better - Host/Port Unreachable sent for each ping packet now.

BUT in log goes only 1st ping packet. For other ping packets - no alerts in log..

I use active.min_interval = 1
So this settings fix problem with Active response pacekts, but in log only 1st alert for all cases..

чт, 26 сент. 2019 г. в 14:36, Russ Combs (rucombs) <rucombs () cisco com<mailto:rucombs () cisco com>>:
Take a look at the active module.  Try configuring active.min_interval.

Russ

From: Snort-devel <snort-devel-bounces () lists snort org<mailto:snort-devel-bounces () lists snort org>> on behalf of 
Meridoff via Snort-devel <snort-devel () lists snort org<mailto:snort-devel () lists snort org>>
Reply-To: Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>
Date: Wednesday, September 25, 2019 at 5:39 PM
To: "snort-devel () lists snort org<mailto:snort-devel () lists snort org>" <snort-devel () lists snort 
org<mailto:snort-devel () lists snort org>>
Subject: [Snort-devel] snort3: reject rule problem


Hello

I have reject rule that send Port unreachable for ping.



It's Ok, but only for 1st packet.



The next ping packets are silently dropped and not detected and not logged.



reject icmp 192.168.0.1 any -> any any ( gid:8000; sid:1; msg:"ping";  )



This happens when stream and stream_icmp inspectors are in config.



If I remove stream {} and/or stream_icmp {} inspectors from snort lua config, then ALL OK: each packet is

dropped, logged and ICMP Port unreach is sending on each dropped packet.





Part of config:



stream={}

stream_icmp={}

reject={control="port"}



Thanks.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!