[SOLVED] Snort 3 resets not working.

Snorty101 · 05-20-2022, 04:22 PM

I am running snort 3 inline mode and trying to get active response to work.
When I ping a host located behind snort inline I get a "connection timeout" when I with active response and reject action in rule should get "Destination port unreachable"....???
When I look at the snort log it reads [reset], so the reset should be sent but still "connection timeout" when sending a ping...
Below are my configs:

ips =
{
mode = inline,
enable_builtin_rules = true,
variables = default_variables,
rules = [[ rules-here ]]
}

reject = { control="all", reset="both" }

active = { attempts = 2, device = "eth0", dst_mac = "mac-addr-of-eth0",}

normalizer = { tcp = { ips = true, } }

Starting snort with:

snort -c snort.lua --daq-dir /usr/local/lib/daq --daq afpacket --daq-var fanout_type=hash \
-s 65535 -k none -l /var/log/snort -Q -i eth0:enx5ca6e6fb7f8a -D

And icmp rule:
reject icmp any any -> any any (msg:"icmp"; sid:1; )

Any ideas what is wrong/missing??

Snorty101 · 05-23-2022, 09:20 AM

What could be the potential cause of "Icmp port unreachable" response from snort being blocked when sending a ping, or not sent at all?
Since snort log says [reset] it should be sent...
Could it be a bug in snort 3 since its fairly new and beta?

Two strange things that Ive noticed is:
1. Module rewrite is not being loaded when snort starts despite being set in snort.lua ---> rewrite = { }

2. When commented out module active is still being loaded on snort startup --active{} (commented out like that)

Any help would be appreciated.

Snorty101 · 06-12-2022, 12:24 PM

I asked snort mailing list and they said that snort does not respond to ping so everything is correct with the timeout when pinging.
They recommended me to remove module "active" completely.
Its also a good idea to disable builtin rules(enable_builtin_rules = true) by removing it.Text rules(Community rules for example) has abilities to shut down connections drop,block,reject, which builtin rules can not do and is more suited to testing purposes to my understunding.Builtin rules also overrides text rules and has no rule action(drop,block,reject) which leads to no action when some text rules are triggered, IF builtin rules are enabled that is.

So the correct configuration will be following:

ips =
{
mode = inline,
variables = default_variables,
rules = [[ rule1 rule2 rule3 ]]
}

reject = { control="all", reset="both" }

normalizer = { tcp = { ips = true, } }

Starting snort with:

snort -c snort.lua --daq-dir /usr/local/lib/daq --daq afpacket --daq-var fanout_type=hash \
-s 65535 -k none -l /var/log/snort -Q -i eth0:enx5ca6e6fb7f8a -D