Snort mailing list archives
Re: snort seems to stop working after first hit of drop rule
From: Stefan Mayer <stefan.mayer () usaneers de>
Date: Sat, 22 Feb 2020 21:45:04 +0000
Thanks for your response. Either you or I am missing something. In my understanding, the rule drop udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;) says: Drop any packet that is sent via udp from anywhere to any host in the network, if the payload contains 45670123 in hex. Any other packet (icmp, or tcp, or any other udp that does not contain the magic number), shall not be dropped and sent onwards. I am constantly sending data that matches the rule, among other packets that do not match. On the receiving end, this happes: I receive four packets that do not match the rule (udp with 111111 as payload), then snort drops the fifth packet which matches the rule. After that, I am receiving no upd at all, although I keep sending. Snort does not report anything anymore. The only thing still reaching the receiver is a ping. -----Ursprüngliche Nachricht----- Von: Snort-sigs [mailto:snort-sigs-bounces () lists snort org] Im Auftrag von wkitty42--- via Snort-sigs Gesendet: Samstag, 22. Februar 2020 15:16 An: snort-sigs () lists snort org Betreff: Re: [Snort-sigs] snort seems to stop working after first hit of drop rule On 2/21/20 12:30 PM, Stefan Mayer wrote:
How can I resolve this issue? Thanks.
what is the exact issue you're trying to solve? your rule is for UDP which snort detects and drops as instructed... ping may or may not use UDP so please explain further exactly what the issue is... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list where it belongs!* _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 27)
- <Possible follow-ups>
- Re: snort seems to stop working after first hit of drop rule Russ Combs (rucombs) via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 24)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)