Snort mailing list archives
Re: snort seems to stop working after first hit of drop rule
From: Stefan Mayer <stefan.mayer () usaneers de>
Date: Sat, 22 Feb 2020 20:02:25 +0000
Hi Russ. I am changing nothing between my tests, except the keyword from alert to drop. My setup looks like this: sender (10.10.10.99) <-> L2-bridge <-> receiver (10.10.10.16) The L2 bridge is a pc with two nics, and both nics in promiscuous mode, running snort. I am using colasoft packet player (one the sender) to replay a distinct set of frames, to have comparable tests against the same data. That’s why the port does not change. I never waited as long as 60s, will try that on Monday. Also I will compile it from scratch. Stefan Von: Russ Combs (rucombs) [mailto:rucombs () cisco com] Gesendet: Samstag, 22. Februar 2020 19:30 An: Stefan Mayer; snort-sigs () lists snort org Betreff: Re: [Snort-sigs] snort seems to stop working after first hit of drop rule Hey Stefan, When you say all traffic on UDP blocked, are you changing the source or destination addresses or ports between attempts? I ask because both of your alerts show the same 4-tuple. Typically the source port would be ephemeral and change each time. What happens if you wait 60 seconds and send more of the same traffic? Snort should be blocking specific 4-tuples, not everything. And the block should time out after 30 seconds (default config) and allow the 4-tuple to pass again. Also, that’s an ancient version of Snort. For best results, download the source from snort.org and build that. Russ From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of Stefan Mayer <stefan.mayer () usaneers de<mailto:stefan.mayer () usaneers de>> Date: Saturday, February 22, 2020 at 8:07 AM To: "snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> Subject: [Snort-sigs] snort seems to stop working after first hit of drop rule Hi everyone. I am using ubuntu 18.04 lts, and also the latest snort version from apt-get, Version 2.9.7.0 GRE (Build 149). It is running inline, calling /usr/sbin/snort -A console -Q -c /etc/snort/snort.conf -i eno1:enp3s0 -N I set up the snort.conf, setting $HOME_NET to 10.10.10.0/25 and disabling all rules except local.rules, with the following content: alert udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;) The result is: 02/21-18:11:48.115016 [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 -> 10.10.10.16:30501 At the receiving end, the packets still arrive as they are supposed to. So far, so good. After changing the rule to drop udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;) The result is: 02/21-18:12:42.978438 [Drop] [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 -> 10.10.10.16:30501 Once. For the first packet that matches. After that, the traffic on udp stops arriving at the target, the only thing still passing the bridge is a ping. All udp traffic, either matching the rule or missing it, is lost, until I restart snort. Changing the rule to sdrop does not help, either. How can I resolve this issue? Thanks. Stefan
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 27)
- <Possible follow-ups>
- Re: snort seems to stop working after first hit of drop rule Russ Combs (rucombs) via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 24)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)