Snort mailing list archives
Re: snort seems to stop working after first hit of drop rule
From: Stefan Mayer <stefan.mayer () usaneers de>
Date: Mon, 24 Feb 2020 18:07:14 +0000
Hi Russ,
I got the chance to test your suggestions. Everything I test from now runs at „Version 2.9.15.1 GRE (Build 15125)“, I
just built everything from scratch.
I started snort inline with the same config, and I am constantly sending the test packets.
02/24-16:03:18.483054 [Drop] [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 160.48.199.99:30400 ->
160.48.199.16:30501
I let it run until 16:15, no further messages appeared. But, the last time I tested, no udp traffic was reaching the
receiver.
This is different now. I am checking with wireshark on the receiver, I get all packets except the dropped ones. It
seems to be a display issue, only displaying the first drop. Weird, but ok in my case.
Although it’s a different topic, but how do I start snort with my inline call
/usr/local/bin/snort -A console -Q -c /etc/snort/snort.conf -i eno1:enp3s0 -N
at startup, as root, automatically?
Von: Russ Combs (rucombs) <rucombs () cisco com>
Gesendet: Samstag, 22. Februar 2020 19:30
An: Stefan Mayer <stefan.mayer () usaneers de>; snort-sigs () lists snort org
Betreff: Re: [Snort-sigs] snort seems to stop working after first hit of drop rule
Hey Stefan,
When you say all traffic on UDP blocked, are you changing the source or destination addresses or ports between
attempts? I ask because both of your alerts show the same 4-tuple. Typically the source port would be ephemeral and
change each time. What happens if you wait 60 seconds and send more of the same traffic?
Snort should be blocking specific 4-tuples, not everything. And the block should time out after 30 seconds (default
config) and allow the 4-tuple to pass again.
Also, that’s an ancient version of Snort. For best results, download the source from snort.org and build that.
Russ
From: Snort-sigs <snort-sigs-bounces () lists snort org<mailto:snort-sigs-bounces () lists snort org>> on behalf of
Stefan Mayer <stefan.mayer () usaneers de<mailto:stefan.mayer () usaneers de>>
Date: Saturday, February 22, 2020 at 8:07 AM
To: "snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>" <snort-sigs () lists snort
org<mailto:snort-sigs () lists snort org>>
Subject: [Snort-sigs] snort seems to stop working after first hit of drop rule
Hi everyone.
I am using ubuntu 18.04 lts, and also the latest snort version from apt-get, Version 2.9.7.0 GRE (Build 149). It is
running inline, calling
/usr/sbin/snort -A console -Q -c /etc/snort/snort.conf -i eno1:enp3s0 -N
I set up the snort.conf, setting $HOME_NET to 10.10.10.0/25 and disabling all rules except local.rules, with the
following content:
alert udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;)
The result is:
02/21-18:11:48.115016 [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 ->
10.10.10.16:30501
At the receiving end, the packets still arrive as they are supposed to. So far, so good.
After changing the rule to
drop udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;)
The result is:
02/21-18:12:42.978438 [Drop] [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 ->
10.10.10.16:30501
Once. For the first packet that matches. After that, the traffic on udp stops arriving at the target, the only thing
still passing the bridge is a ping. All udp traffic, either matching the rule or missing it, is lost, until I restart
snort.
Changing the rule to sdrop does not help, either.
How can I resolve this issue? Thanks.
Stefan
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 27)
- <Possible follow-ups>
- Re: snort seems to stop working after first hit of drop rule Russ Combs (rucombs) via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 24)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)