Snort mailing list archives
Re: Sticky-drop
From: Will Metcalf <william.metcalf () gmail com>
Date: Wed, 7 Dec 2005 10:13:41 -0600
On 12/7/05, G Ramon Gomez <gene () gomezbrothers com> wrote:
Hi Patrick, With regards to this particular issue, one thing that caught me when I started using RSTs was that the packets get sent using the routing table. In my case I had a stealth bridging firewall that I had set up with flexresp, but found that, although Snort was listening on br0 (eth1 + eth2, no IPs assigned), RST packets were being emitted on eth0 (my management interface, where my only IP was assigned). As a result, my stateful firewalls on the management network were dropping the packets. Double-check that the RSTs are being sent out the interface you think they're going out through. - Ramon
This is only true if you are using InlineMode() on a bridge without an ip stack and you have an ip address assigned to a management interface, and you don't turn on layer2resets. Turning on layer2resets should fix your issue in this scenario. Connections currently do not get sent in both directions only to the attacker that triggered that alert. We will add options in the future to reflect the flexresp options of src/dst/both but I've been pressed for time lately. Regards, Will I regards to the bug Patrick was refering to, that was a problem with stream4 timeouts and InlineMode(); That was fixed a long time ago..... Regards, Will
Patrick Walsh wrote:Also, are there any known bugs with connection resets? I think the reset packets may not be getting sent to both ends of the connection or else might not have the proper source port set.------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Can I automatically include rules? oink (Dec 06)
- Re: Can I automatically include rules? Will Metcalf (Dec 06)
- Re: Can I automatically include rules? oink (Dec 06)
- Sticky-drop Patrick Walsh (Dec 07)
- Re: Sticky-drop G Ramon Gomez (Dec 07)
- Re: Sticky-drop Will Metcalf (Dec 07)
- Re: Sticky-drop Patrick Walsh (Dec 07)
- Message not available
- Re: Sticky-drop Patrick Walsh (Dec 07)
- Re: Sticky-drop Will Metcalf (Dec 07)
- Re: Sticky-drop Joel Esler (Dec 07)
- Re: Can I automatically include rules? Will Metcalf (Dec 06)