Snort mailing list archives
RE: Snort+flexresp
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Tue, 26 Mar 2002 10:29:22 -0600
Hi guys, I've actually implemented this. But I've noticed that it's not quicky. I'm running it on a FreeBSD-STABLE 4.5. And then I tried to hit one of our IIS webserver which is not patched, I was able to see a dir listing. It was successful when I changed my u n i c o d e parameter as /c+dir+c:\+/s That's when my session got teared down but I've already seen some of the listings. On the first one, /c+dir, I can see my snorts sends a R using tcpdump but was not able to really tear it. So what would be the appropriate approach now for this? Thank you very much. Neil
-----Original Message----- From: Bamm Visscher [mailto:bamm () satx rr com] Sent: Tuesday, March 26, 2002 7:29 AM To: Jeff Nathan Cc: Sonika Malhotra; Snort Subject: Re: [Snort-users] Snort+flexresp Jeff, Thanks for the explanation about how flex-resp works. Although to me it seems you mixed "how it works" with "when/how to use it" and I disagree with some of your assertions. You seem to imply that flex-resp will only work with content based signatures. That is where I disagree. For example, rules like these: alert tcp 192.168.1.1 any <> any any (msg: "LOCAL Attempted session from perp."; flags:!R; resp:rst_all;) and alert tcp any any <> 10.1.1.1 1524 (msg: "LOCAL Attempted session to perps backdoor."; flags:!R; resp:rst_all;) will attempt kill any session to/from the "bad guy" or his backdoor, and as long as the protocol is "reset friendly" (ie ssh, FTP, SMTP, most tcp backdoors, etc), it will be very successful. Why would anyone use a rule like this? Because in some organizations (MSSPs, larger companies, etc), the individuals doing network security monitoring aren't necessarily handling the management of the firewalls/routers. With flex-resp, the analyst who detect a successful compromise can institute some type of "protection" until those responsible for the compromised system and/or the engineers responsible for FW management can be contacted and they can take the appropriate actions. Bammkkkk On Mon, 2002-03-25 at 18:49, Jeff Nathan wrote:Hi snortees, I suppose it's time for a little tour of how flexresp is designed to work. First off, flexresp is not designed to reset new TCPconnections to aparticular port outright. It's actually designed to beemployed withsignatures containing a *pattern* such that when a snort signature matches a packet on the wire a response is generated. With TCP, calculating ACK numbers is a function of acknowledging the bytes already received by the IP stack as well as any TCP flags that must be acknowledged and then incrementing the ACK numberaccordingly.With that said, flexresp won't properly generate a RST fora SYN to aport, or at least it probably won't be accepted by a client IP stack (though there's no accounting for broken IP stacks). It's just not designed to work that way. When testing flexresp, your TCP based rules should triggeroff packetscontaining data and not part of the establishment ortearing down of asession. I hope this helps. -Jeff Bamm Visscher wrote:I apologize for the confusion, I guess I should ofelaborated more. Idid not mean to imply content rules do not "work" withflex-resp. Youcan create any rule with any option and resp will "work".By "work", Imean the reset(s)/ICMP error messages will be created bysnort and senton the wire. The statement I was trying to make is howineffective flexresponse rules can be when used on HTTP traffic. Take thefollowing HTTPsession as an example: attacker:1025 -> target:80 S attacker:1025 <- target:80 SA attacker:1025 -> target:80 A attacker:1025 -> target:80 AP "GET blah/cmd.exe?tftphax0r.net blah"attacker:1025 <- target:80 AP <HTML>200 Okay</HTML> attacker:1025 -> target:80 FA attacker:1025 <- target:80 A attacker:1025 -> target:80 FA attacker:1025 <- tartge:80 A All the important content in this connection is containedin a singlepacket (as is often the case with HTTP). In order toeffectively resetthis connection, our reset packet has to reach the targetbox before the"GET" request. So, using a content based rule probablyisn't going toprevent this attack from working. Matter of fact, trysetting up a ruleto reset all web surfing from your IP (alert tcp YOURIPany <> any 80(msg: "blocking web tfc"; resp:rst_all;)). Now see if youcan surf theweb. I tried this a while back with snort-1.8.1 and hadno problemsloading most pages. I tried the same thing later withsnort-1.8.3 (majorchanges to flex-resp) and found that it could sometimesprevent thepages from loading, but not very often (IIRC. If yourtests differ,please let me know, I have been known to make mistakes).This is nofault of snort, but a problem with the concept offlex-resp (tcp-reset,etc) and affects all IDSes that employ it. With that said, I do use flex-resp in a short-termincident containmentmode until long term fixes can be put in place. Forexample, once anintrusion has been identified, I will use flex-resp in aneffort toprevent an attacker from doing further damage until theaffected systemcan be taken off-line or a rule blocking the attacker canbe placed inthe FW/router. This often means sending a reset in response to any packet sent by the source. Another example is usingflex-resp to helpprevent the spread of a virus with a content basedsigature in snortuntil the virus signatures on email scrubbers can be updated. Using flex-resp eats resources, so take the time to findout just howdifferent protocols work (HTTP, FTP, telnet, etc) andmake sure anyflex-resp rules you create, are going to be effective"against" them. Ifyou want snort to take a more "active" role in preventingintrusions, Isuggest you look into hogwash. Bammkkkk-- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired byage eighteen."- Albert Einstein _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort+flexresp, (continued)
- Re: Snort+flexresp Sonika Malhotra (Mar 12)
- RE: Snort+flexresp skill2die4 (Mar 13)
- RE: Snort+flexresp Bamm (Robert) Visscher (Mar 13)
- Re: Snort+flexresp Sonika Malhotra (Mar 14)
- Re: Snort+flexresp Sam (Mar 14)
- Re: Snort+flexresp Bamm Visscher (Mar 14)
- Re: Snort+flexresp Jeff Nathan (Mar 25)
- Re: Snort+flexresp Bamm Visscher (Mar 26)
- Re: Snort+flexresp Jeff Nathan (Mar 26)
- Re: Snort+flexresp Sonika Malhotra (Mar 12)
- Re: Snort+flexresp Roelof JT Jonkman (Mar 13)
- Re: Snort+flexresp Jeff Nathan (Mar 27)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Bamm Visscher (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Bamm Visscher (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)