Snort mailing list archives
More explanation needed in Snort User Manual for "resp:"?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 7 Nov 2003 09:53:29 +1300
Under the "Resp" section of the Snort User Manual: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22 it tells you how to use "resp" to do the ICMP/TCP-RSET thang. What it doesn't tell you is that flexresp just drops those "spoofed" packets onto the OS IP stack. i.e. those packets tend to fall out the default gateway interface - instead of (as I assumed) - the same interface the packet was seen on... This is rather important, because if you are like me, you have eth0 being the only Ethernet card with an address, and you are monitoring things like DMZes behind PIX (NATing) firewalls. Now, when an Internet address (say 1.2.3.4) connects to your DMZ Web server (say: 4.3.2.1), Snort actually sees 1.2.3.4 talking to (say) 192.168.2.1 - as 4.3.2.1 has been NATed. As you can imagine, the "resp" packets are never going to match up. The only way they can is if the "resp" packets was pushed out the same interface the offending packet was seen on. Then any NAT devices in front of them would remap them correctly. I've looked at flexresp2, and it allows you to explicitly configure which interface RESET packets are set through - which is almost there. But this still seems like a bug to me, as I can't think of a reason why you would ever want the packet to leave through anything other than the interface it was seen on! [well, except one: TAPs - but that's pretty special case] Am I missing something here? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More explanation needed in Snort User Manual for "resp:"? Jason Haar (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Chris Green (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Jason Haar (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Kristofer T. Karas (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Jason Haar (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Jeff Nathan (Nov 20)
- Re: More explanation needed in Snort User Manual for "resp:"? Matt Kettler (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Chris Green (Nov 06)