Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to use react under IPS mode correctly?

From: Hsuan-Yi Sung <newdominic () gmail com>
Date: Mon, 8 May 2017 14:22:46 +0800
Yes, before I set the rule to stateless, Snort is blocking the active
responses, which should be injected via Active_SendData() and
Active_SendReset() in sp_react.c.

I added some debug messages into the daq library, and it showed that the
ipfw_daq_forward() function did return DAQ_SUCCESS while calling the
functions mentioned above.

I know it might be wrong making it stateless, just trying to figure out
where and why the injected packets get blocked.

I'll try the react plugin on other platforms these days for some
cross-comparison.

2017-05-05 20:30 GMT+08:00 Russ <rucombs () cisco com>:


That doesn't sound right.  You shouldn't have to be stateless. Also, are
you saying Snort is blocking your active responses?  They should be sent
from Snort but not through Snort.


On 5/3/17 10:02 PM, Hsuan-Yi Sung wrote:


Hi,

I'm running Snort 2.9.8.3 on FreeBSD 10.3-RELEASE, under inline mode with
daq-ipfw.

I've been trying to use the "react" keyword in my rules to send a fake
response page to client.
At first, I tried the rules below:

alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
react:msg;
sid:1002; rev:001;)

The client can't even make a successful handshake with the destination IP.
After doing some research on sp_react.c (and some googling), I guess this
must be triggered only after the connection established. So I added the
"flow" keyword:

alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
flow:established,from_client; react:msg; sid:1002; rev:001;)

By using tcpdump, I can see the connection established, also the HTTP GET
request packet.
But the forged response still not showing.

So I dig deeper, and found that in spp_stream6.c,

static void StreamDropPacket( Packet *p ) {
...
...
     if (!(p->packet_flags & PKT_STATELESS))
         session_api->drop_traffic(p, p->ssnptr, SSN_DIR_BOTH);
}

The drop_traffic function made all the injected packet blocked.
Finally, I switched the parameter of "flow" to "stateless":

alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
flow:stateless; react:msg; sid:1002; rev:001;)

Now I can see the fake response page and connection reset packets.

Not sure if I misunderstood the code or not, is this the right way to use
"react" under inline mode?
Do I have to treat the HTTP packet stateless?
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!







-- 
Best Regards,
Hsuan-Yi Sung
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: