Snort mailing list archives
How to use react under IPS mode correctly?
From: Hsuan-Yi Sung <newdominic () gmail com>
Date: Thu, 4 May 2017 10:02:57 +0800
Hi, I'm running Snort 2.9.8.3 on FreeBSD 10.3-RELEASE, under inline mode with daq-ipfw. I've been trying to use the "react" keyword in my rules to send a fake response page to client. At first, I tried the rules below: alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET"; react:msg; sid:1002; rev:001;) The client can't even make a successful handshake with the destination IP. After doing some research on sp_react.c (and some googling), I guess this must be triggered only after the connection established. So I added the "flow" keyword: alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET"; flow:established,from_client; react:msg; sid:1002; rev:001;) By using tcpdump, I can see the connection established, also the HTTP GET request packet. But the forged response still not showing. So I dig deeper, and found that in spp_stream6.c, static void StreamDropPacket( Packet *p ) { ... ... if (!(p->packet_flags & PKT_STATELESS)) session_api->drop_traffic(p, p->ssnptr, SSN_DIR_BOTH); } The drop_traffic function made all the injected packet blocked. Finally, I switched the parameter of "flow" to "stateless": alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET"; flow:stateless; react:msg; sid:1002; rev:001;) Now I can see the fake response page and connection reset packets. Not sure if I misunderstood the code or not, is this the right way to use "react" under inline mode? Do I have to treat the HTTP packet stateless? ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to use react under IPS mode correctly? Hsuan-Yi Sung (May 03)
- Re: How to use react under IPS mode correctly? Russ (May 05)
- Re: How to use react under IPS mode correctly? Hsuan-Yi Sung (May 07)
- Re: How to use react under IPS mode correctly? Hsuan-Yi Sung (May 11)
- Re: How to use react under IPS mode correctly? Hsuan-Yi Sung (May 07)
- Re: How to use react under IPS mode correctly? Russ (May 05)