Snort mailing list archives

Re: WAN IPS + LAN Snort IDS: Signature events visible on both sides?

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Tue, 18 Dec 2018 20:52:22 +0000

Not sure I understand the question, but the signature/event packet that alerts probably wont have the reset.

Have you tried capturing the traffic (with another tool) or tagging the snort event (to see traffic around the time of 
alert)?

If you run snort inline (i.e afpacket) you can dump the daq to see the traffic handled. You may see the reset packet 
there.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>


From: Snort-users <snort-users-bounces () lists snort org> on behalf of Snort IPS via Snort-users <snort-users () lists 
snort org>
Reply-To: Snort IPS <snortvsips () gmail com>
Date: Tuesday, December 18, 2018 at 3:19 PM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] WAN IPS + LAN Snort IDS: Signature events visible on both sides?

I currently use snort as a backup IDS to inspect LAN traffic.  I find myself in the unusual position that a commercial 
IPS that I have deployed on the WAN side will identify signatures and label them as blocked, but our Snort IDS on the 
LAN side sees the exact same signature events on our LAN side.  I must be old, but I was certain that blocked traffic 
at our WAN edge IPS system should NOT be visible by our internal LAN snort IDS.

The commercial IPS claims that a TCP reset flag is set to break the connection to prevent the exploit payload from 
delivering, but I don't see the flag within the same signature packet on the LAN side.

I don't know if I'm just stupid and unaware of this newer firewall technique, or if the commercial IPS that we use is 
broken in some way (intentional or otherwise).

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

WAN IPS + LAN Snort IDS: Signature events visible on both sides? Snort IPS via Snort-users (Dec 18)
- Re: WAN IPS + LAN Snort IDS: Signature events visible on both sides? Al Lewis (allewi) via Snort-users (Dec 18)