Snort mailing list archives

Re: snort3: reject rule problem

From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Tue, 1 Oct 2019 19:04:27 +0300

That is per design – the alert kicks off the active responses.  The

alert is logged, but the responses are not.

I have many pings so it must be many alerts, but it's only one alert for
pings, when active response is ON.
Is it normanl ?

вт, 1 окт. 2019 г. в 17:42, Meridoff <oagvozd () gmail com>:

I have many pings so it must be many alerts, but it's only one, when
active response is ON.
Is it normanl ?

чт, 26 сент. 2019 г. в 17:41, Russ Combs (rucombs) <rucombs () cisco com>:

That is per design – the alert kicks off the active responses.  The alert
is logged, but the responses are not.



*From: *Meridoff <oagvozd () gmail com>
*Date: *Thursday, September 26, 2019 at 10:25 AM
*To: *"Russ Combs (rucombs)" <rucombs () cisco com>
*Subject: *Re: [Snort-devel] snort3: reject rule problem



Thanks, it's became better - Host/Port Unreachable sent for each ping
packet now.



BUT in log goes only 1st ping packet. For other ping packets - no alerts
in log..



I use active.min_interval = 1

So this settings fix problem with Active response pacekts, but in log
only 1st alert for all cases..



чт, 26 сент. 2019 г. в 14:36, Russ Combs (rucombs) <rucombs () cisco com>:

Take a look at the active module.  Try configuring active.min_interval.



Russ



*From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of
Meridoff via Snort-devel <snort-devel () lists snort org>
*Reply-To: *Meridoff <oagvozd () gmail com>
*Date: *Wednesday, September 25, 2019 at 5:39 PM
*To: *"snort-devel () lists snort org" <snort-devel () lists snort org>
*Subject: *[Snort-devel] snort3: reject rule problem



Hello

I have reject rule that send Port unreachable for ping.



It's Ok, but only for 1st packet.



The next ping packets are silently dropped and not detected and not logged.



reject icmp 192.168.0.1 any -> any any ( gid:8000; sid:1; msg:"ping";  )



This happens when stream and stream_icmp inspectors are in config.



If I remove stream {} and/or stream_icmp {} inspectors from snort lua config, then ALL OK: each packet is

dropped, logged and ICMP Port unreach is sending on each dropped packet.





Part of config:



stream={}

stream_icmp={}

reject={control="port"}



Thanks.

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Re: snort3: reject rule problem Meridoff via Snort-devel (Oct 01)
- Re: snort3: reject rule problem Russ Combs (rucombs) via Snort-devel (Oct 01)
  - Re: snort3: reject rule problem Steven Baigal (sbaigal) via Snort-devel (Oct 01)
    - Re: snort3: reject rule problem Meridoff via Snort-devel (Oct 01)
    - Re: snort3: reject rule problem Russ Combs (rucombs) via Snort-devel (Oct 01)
    - Re: snort3: reject rule problem Meridoff via Snort-devel (Oct 02)