Snort mailing list archives
Re: flexresp - I have 2 stupid questions
From: Jeff Nathan <jeff () snort org>
Date: Wed, 26 Nov 2003 16:18:00 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rich,I was in the midst of replying to your first question when I saw this one. The first message posed an excellent question and I want to make sure that I do it justice when answering. I'll send that one out soon.. more on that later, though.
The version of flexresp you're using will allow you to create ICMP host and network unreachable messages to send in response to ICMP echo requests. These are the only types of ICMP responses appropriate for an ICMP echo request (as it relates to flexresp).
A log file isn't kept and it doesn't create special alerts to let you know whether or not it's working.
The version of flexresp you're using is designed to send responses primarily to the attacker. The odds are very high that the target has received the packets by the time your Snort system can respond.
The new version of flexresp which is known as flexresp2 (which is still being improved), is intended to knock down TCP connections and is primarily focused on sending responses to only the target (or server).
To answer your previous email message, flexresp may not work as you've currently configured it. When it sends a response it uses the routing table on your computer to determine which network interface should be used to transmit the response. If your "administrative" interface on the Snort system has a default route, then it's possible the response packets could make it back to the attacker. But, I can't say for certain without having more information.
I was in the midst of writing a response to you that included an example on how to test flexresp2 when I discovered an oversight in the design of the new inline response functionality. I'd like to be more helpful by sending you an example but before I send an example, I'd like to make sure the new code functions as I think it ought to.
Here are some guidelines for using flexresp.The current (old) version of flexresp uses the routing table of the system on which it is running to determine which interface to send responses from.
The process of active response (which is the more general term for what flexresp in Snort is trying to achieve: tearing down connections), is a race between the attacker and the system attempting to perform the active response. The attacker has an inherent advantage because his or her packets are generated as a result of using the network. Conversely, active response must create packets for the responses after first identifying the "bad" network traffic.
Use TCP reset responses for TCP only. Use ICMP Port/Net or Host unreachable responses for UDP. Use ICMP Net or Host unreachable responses for ICMP packets. But, keep in mind that some ICMP packets are error messages generated by an IP stack and others are informational messages. The steadfast rule is that ICMP error messages should not be generated as a response to an ICMP error message. So, if your kernel's IP stack (or in this case, Snort) sees an ICMP error message, it shouldn't generate another ICMP error message in response to the first error. This could cause a war of ICMP error messages.
If you're sure that you've got your routing table setup properly and that the administrative interface should have a way of sending packets back to the attacker, and you're sure that your Snort rules apply to a service running on the target, then you should be able to use a packet sniffer and look for the responses generated by flexresp. Even if the responses have no effect (because they're sent too late) you should see them.
Take care, - -Jeff On Nov 26, 2003, at 3:23 PM, Rich Stryker wrote:
I have the libnetNT.dll in the winnt\system32 directory. I have pinged the servers that flexresp should be monitoring but I still get a response when i think I should be getting dropped packets.does flexresp write a log somewhere that I can see if it is loading properly or functioning properly or reading packets properly but is unable to respond to?-----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Wednesday, November 26, 2003 11:57 To: Rich Stryker; snort-users () lists sourceforge net Subject: Re: [Snort-users] flexresp - I have 2 stupid questions At 10:26 AM 11/26/2003, Rich Stryker wrote:* If I have unbound TCP/IP on the outside NIC where I have setflexresp, I have set the rules to send ICMP null responses, will flexrespactually work?It should... flexresp uses libnet to generate the packets and does not relyon the local tcp/ip stack.* How do you know if flexresp is working?Um.. test it? ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/xRiLEqr8+Gkj0/0RApPhAKCF5UcRk0y5vIyABUaK9pDGhmc5MgCgyeVW UYYpWZmgVTBJgPvScrrerfc= =2xQU -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp - I have 2 stupid questions Rich Stryker (Nov 26)
- Re: flexresp - I have 2 stupid questions Matt Kettler (Nov 26)
- <Possible follow-ups>
- RE: flexresp - I have 2 stupid questions Rich Stryker (Nov 26)
- RE: flexresp - I have 2 stupid questions Matt Kettler (Nov 26)
- RE: flexresp - I have 2 stupid questions Michael Steele (Nov 26)
- Re: flexresp - I have 2 stupid questions Jeff Nathan (Nov 26)