Snort mailing list archives
Re: snort seems to stop working after first hit of drop rule
From: Stefan Mayer <stefan.mayer () usaneers de>
Date: Thu, 27 Feb 2020 19:26:20 +0000
Hi again.
I was mistaken, snort is still not working. I tested it with two machines, one with snort from ubuntu 18.04 LTS repo,
and one with current sources, compiled from scratch.
There'a one packet in particular, coming every 100ms that I want to drop. The only rule that might apply here is the
content rule, matching against the first four bytes being 45670123, like described in my original mail.
Snort hits the rule once, does not report any further hits (although the packets are there), and does seem to block
other packets as well.
Why does snort stop working after the first hit? This only applies to the content rule. If I filter by port or IP, then
snort keeps on reporting drops and does not stop after the first hit.
Stefan
Von: Snort-sigs <snort-sigs-bounces () lists snort org> Im Auftrag von Stefan Mayer
Gesendet: Freitag, 21. Februar 2020 18:31
An: snort-sigs () lists snort org
Betreff: [Snort-sigs] snort seems to stop working after first hit of drop rule
Hi everyone.
I am using ubuntu 18.04 lts, and also the latest snort version from apt-get, Version 2.9.7.0 GRE (Build 149). It is
running inline, calling
/usr/sbin/snort -A console -Q -c /etc/snort/snort.conf -i eno1:enp3s0 -N
I set up the snort.conf, setting $HOME_NET to 10.10.10.0/25 and disabling all rules except local.rules, with the
following content:
alert udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;)
The result is:
02/21-18:11:48.115016 [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 ->
10.10.10.16:30501
At the receiving end, the packets still arrive as they are supposed to. So far, so good.
After changing the rule to
drop udp any any -> $HOME_NET 30501 (msg:"packet detected"; sid:10000003; rev:1; content:"|45670123|"; depth:4;)
The result is:
02/21-18:12:42.978438 [Drop] [**] [1:10000003:1] packet detected [**] [Priority: 0] {UDP} 10.10.10.99:30400 ->
10.10.10.16:30501
Once. For the first packet that matches. After that, the traffic on udp stops arriving at the target, the only thing
still passing the bridge is a ping. All udp traffic, either matching the rule or missing it, is lost, until I restart
snort.
Changing the rule to sdrop does not help, either.
How can I resolve this issue? Thanks.
Stefan
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 27)
- <Possible follow-ups>
- Re: snort seems to stop working after first hit of drop rule Russ Combs (rucombs) via Snort-sigs (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 22)
- Re: snort seems to stop working after first hit of drop rule Stefan Mayer (Feb 24)
- Re: snort seems to stop working after first hit of drop rule wkitty42--- via Snort-sigs (Feb 22)