Re: snort seems to stop working after first hit of drop rule

[Stefan Mayer <stefan.mayer () usaneers de>]

Hi Russ.

I am changing nothing between my tests, except the keyword from alert to drop. My setup looks like this:

sender (10.10.10.99) <-> L2-bridge <-> receiver (10.10.10.16)

The L2 bridge is a pc with two nics, and both nics in promiscuous mode, running snort. I am using colasoft packet 
player (one the sender) to replay a distinct set of frames, to have comparable tests against the same data. That’s why 
the port does not change.
I never waited as long as 60s, will try that on Monday. Also I will compile it from scratch.

Stefan

Von: Russ Combs (rucombs) [mailto:rucombs () cisco com]
Gesendet: Samstag, 22. Februar 2020 19:30
An: Stefan Mayer; snort-sigs () lists snort org
Betreff: Re: [Snort-sigs] snort seems to stop working after first hit of drop rule

Hey Stefan,

When you say all traffic on UDP blocked, are you changing the source or destination addresses or ports between 
attempts?  I ask because both of your alerts show the same 4-tuple.  Typically the source port would be ephemeral and 
change each time.  What happens if you wait 60 seconds and send more of the same traffic?

Snort should be blocking specific 4-tuples, not everything.  And the block should time out after 30 seconds (default 
config) and allow the 4-tuple to pass again.

Also, that’s an ancient version of Snort.  For best results, download the source from snort.org and build that.

Russ

From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of 
Stefan Mayer <stefan.mayer () usaneers de<mailto:stefan.mayer () usaneers de>>
Date: Saturday, February 22, 2020 at 8:07 AM
To: "snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort 
org<mailto:snort-sigs () lists snort org>>
Subject: [Snort-sigs] snort seems to stop working after first hit of drop rule

Hi everyone.

I am using ubuntu 18.04 lts, and also the latest snort version from apt-get, Version 2.9.7.0 GRE (Build 149). It is 
running inline, calling
/usr/sbin/snort -A console -Q -c /etc/snort/snort.conf -i eno1:enp3s0 -N

I set up the snort.conf, setting  $HOME_NET to 10.10.10.0/25 and disabling all rules except local.rules, with the 
following content:
alert  udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;)

The result is:
02/21-18:11:48.115016  [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 -> 
10.10.10.16:30501

At the receiving end, the packets still arrive as they are supposed to. So far, so good.

After changing the rule to
drop  udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;)

The result is:
02/21-18:12:42.978438  [Drop] [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 -> 
10.10.10.16:30501

Once. For the first packet that matches. After that, the traffic on udp stops arriving at the target, the only thing 
still passing the bridge is a ping. All udp traffic, either matching the rule or missing it, is lost, until I restart 
snort.
Changing the rule to sdrop does not help, either.

How can I resolve this issue? Thanks.

Stefan

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!