Snort mailing list archives

Re: Sticky-drop

From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 7 Dec 2005 10:13:41 -0600

On 12/7/05, G Ramon Gomez <gene () gomezbrothers com> wrote:

Hi Patrick,
With regards to this particular issue, one thing that caught me when I
started using RSTs was that the packets get sent using the routing
table.  In my case I had a stealth bridging firewall that I had set up
with flexresp, but found that, although Snort was listening on br0 (eth1
+ eth2, no IPs assigned), RST packets were being emitted on eth0 (my
management interface, where my only IP was assigned).  As a result, my
stateful firewalls on the management network were dropping the packets.
Double-check that the RSTs are being sent out the interface you think
they're going out through.

- Ramon


This is only true if you are using InlineMode() on a bridge without an
ip stack and you have an ip address assigned to a management
interface, and you don't turn on layer2resets.  Turning on
layer2resets should fix your issue in this scenario.  Connections
currently do not get sent in both directions only to the attacker that
triggered that alert.  We will add options in the future to reflect
the flexresp options of src/dst/both but I've been pressed for time
lately.

Regards,

Will

I regards to the bug Patrick was refering to, that was a problem with
stream4 timeouts and InlineMode();  That was fixed a long time
ago.....

Regards,

Will

Patrick Walsh wrote:

      Also, are there any known bugs with connection resets?  I think the
reset packets may not be getting sent to both ends of the connection or
else might not have the proper source port set.



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Can I automatically include rules? oink (Dec 06)
- Re: Can I automatically include rules? Will Metcalf (Dec 06)
  - Re: Can I automatically include rules? oink (Dec 06)
  - Sticky-drop Patrick Walsh (Dec 07)
    - Re: Sticky-drop G Ramon Gomez (Dec 07)
    - Re: Sticky-drop Will Metcalf (Dec 07)
    - Re: Sticky-drop Patrick Walsh (Dec 07)
    - Message not available
    - Re: Sticky-drop Patrick Walsh (Dec 07)
    - Re: Sticky-drop Will Metcalf (Dec 07)
    - Re: Sticky-drop Joel Esler (Dec 07)
- Re: Can I automatically include rules? Jason (Dec 06)
- Re: Can I automatically include rules? Nerijus Krukauskas (Dec 06)