Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flex-Response, anyone using it?

From: Jason <security () brvenik com>
Date: Wed, 19 May 2004 22:48:02 -0400
I have never used this method for this case but similar cases before. I think you can solve the interface problem by adding an additional interface, providing it any address, creating routes for your HOME_NET to use that interface, add different routes for the network you use to manage out the actual interface.
If you use the example provided below then add an iptables/whatever rule do drop any packets arriving on the response interface into the bit bucket to prevent any traffic from entering using the injection interface.
Also drop into the bit bucket any that have a source or dest address in the 127.0.0.0 net to prevent possibly polluting the wire with loopback traffic.
It will be a few weeks before I can get around to testing it for this case so if anyone wants to give it a try and confirm functionality "that would be great".
Don't forget... When you report your test results back to the list do not forget that the TPS report has a new format, didn't you read the memo. 

example

[root@athome root]# ifconfig eth1 127.0.0.2
[root@athome root]# ifconfig eth1 up
[root@athome root]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:90:27:F1:3B:6F
          inet addr:127.0.0.2  Bcast:127.255.255.255  Mask:255.0.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:6 Base address:0xde80 Memory:ff8fe000-ff8fe038

[root@athome root]# route add -net 12.110.1.0 netmask 255.255.255.0 dev eth1
[root@athome root]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface 12.110.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 172.16.18.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.215.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1 0.0.0.0 172.16.18.1 0.0.0.0 UG 0 0 0 eth0 



James Riden wrote:

Jason Haar <Jason.Haar () trimble co nz> writes:



On Wed, May 19, 2004 at 03:04:28PM -0500, Paul Schmehl wrote:


I'm curious to know how many people, if any, are using Flex-Response and
what kind of results they have seen?  I've been using it for some P2P
rules but haven't actually tested it from the client.  Any information
would be greatly appreciated.


We use it and it works well. We've turned it on for specific rules - such as
BLASTER and Sasser exploits. 
However you much appreciate it relies VERY much on your network
configuration. All TCP RSETs are sent from eth0 (your primary Ethernet
interface) with spoofed IP addresses. 


Not true on my setup; it goes on the OS routing table AFAICT. My setup
is eth0 without an IP address, hence no routes, so eth1 gets used for
flexresp traffic.

cheers,
 Jamie




-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: