Snort mailing list archives
Re: snort seems to stop working after first hit of drop rule
From: "Russ Combs \(rucombs\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Sat, 22 Feb 2020 18:29:41 +0000
Hey Stefan,
When you say all traffic on UDP blocked, are you changing the source or destination addresses or ports between
attempts? I ask because both of your alerts show the same 4-tuple. Typically the source port would be ephemeral and
change each time. What happens if you wait 60 seconds and send more of the same traffic?
Snort should be blocking specific 4-tuples, not everything. And the block should time out after 30 seconds (default
config) and allow the 4-tuple to pass again.
Also, that’s an ancient version of Snort. For best results, download the source from snort.org and build that.
Russ
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Stefan Mayer <stefan.mayer () usaneers de>
Date: Saturday, February 22, 2020 at 8:07 AM
To: "snort-sigs () lists snort org" <snort-sigs () lists snort org>
Subject: [Snort-sigs] snort seems to stop working after first hit of drop rule
Hi everyone.
I am using ubuntu 18.04 lts, and also the latest snort version from apt-get, Version 2.9.7.0 GRE (Build 149). It is
running inline, calling
/usr/sbin/snort -A console -Q -c /etc/snort/snort.conf -i eno1:enp3s0 -N
I set up the snort.conf, setting $HOME_NET to 10.10.10.0/25 and disabling all rules except local.rules, with the
following content:
alert udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;)
The result is:
02/21-18:11:48.115016 [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 ->
10.10.10.16:30501
At the receiving end, the packets still arrive as they are supposed to. So far, so good.
After changing the rule to
drop udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;)
The result is:
02/21-18:12:42.978438 [Drop] [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 ->
10.10.10.16:30501
Once. For the first packet that matches. After that, the traffic on udp stops arriving at the target, the only thing
still passing the bridge is a ping. All udp traffic, either matching the rule or missing it, is lost, until I restart
snort.
Changing the rule to sdrop does not help, either.
How can I resolve this issue? Thanks.
Stefan
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 27)
- <Possible follow-ups>
- Re: snort seems to stop working after first hit of drop rule Russ Combs (rucombs) via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 24)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)