Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to use react under IPS mode correctly?

From: Russ <rucombs () cisco com>
Date: Fri, 5 May 2017 08:30:36 -0400
That doesn't sound right.  You shouldn't have to be stateless. Also, are 
you saying Snort is blocking your active responses?  They should be sent 
from Snort but not through Snort.

On 5/3/17 10:02 PM, Hsuan-Yi Sung wrote:

Hi,

I'm running Snort 2.9.8.3 on FreeBSD 10.3-RELEASE, under inline mode with
daq-ipfw.

I've been trying to use the "react" keyword in my rules to send a fake
response page to client.
At first, I tried the rules below:

alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET"; react:msg;
sid:1002; rev:001;)

The client can't even make a successful handshake with the destination IP.
After doing some research on sp_react.c (and some googling), I guess this
must be triggered only after the connection established. So I added the
"flow" keyword:

alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
flow:established,from_client; react:msg; sid:1002; rev:001;)

By using tcpdump, I can see the connection established, also the HTTP GET
request packet.
But the forged response still not showing.

So I dig deeper, and found that in spp_stream6.c,

static void StreamDropPacket( Packet *p ) {
...
...
     if (!(p->packet_flags & PKT_STATELESS))
         session_api->drop_traffic(p, p->ssnptr, SSN_DIR_BOTH);
}

The drop_traffic function made all the injected packet blocked.
Finally, I switched the parameter of "flow" to "stateless":

alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
flow:stateless; react:msg; sid:1002; rev:001;)

Now I can see the fake response page and connection reset packets.

Not sure if I misunderstood the code or not, is this the right way to use
"react" under inline mode?
Do I have to treat the HTTP packet stateless?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: