Snort mailing list archives
Snort Flex response layer 2 address issue
From: Carl <carl () nerd com>
Date: Tue, 02 Feb 2010 20:37:41 -0800
We have snort running on a box with two nics, eth0 is configured as the management interface and eth2 is configured as the monitoring interface. We are mirroring all interesting traffic to eth2 of the snort box. We are trying to test the flex response, however, we never see the resets generated by snort reach the client or server. I ran a tcpdump on the snort boxes management interface and we see flex response is trying to send the resets, however, it seems to pull they layer2 info from the alert that triggered the flex response and uses it when sending the reset. Here is a capture of the traffic snort saw that generated the flex response 21:30:50.703838 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 58, id 52741, offset 0, flags [DF], proto TCP (6), length 52) x.x.x.163.39485 > y.y.y.20.80: Flags [F.], cksum 0x194a (correct), seq 2068258091, ack 3628601739, win 92, options [nop,nop,TS val 529950849 ecr 2742540099], length 0 Here is a capture of the reset that snort tries to send out 21:07:24.702620 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 44352, offset 0, flags [none], proto: TCP (6), length: 40) x.x.x.163.35652 > y.y.y.20.http: R, cksum 0xa867 (correct), 1675:1675(0) ack 1495 win 0 21:07:24.702601 00:0b:45:17:78:00 > 00:1d:b5:c4:ac:fe, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 17445, offset 0, flags [none], proto: TCP (6), length: 40) y.y.y..20.http > x.x.x.163.35652: R, cksum 0xa6f7 (correct), 1679:1679(0) ack 1859 win 0 Notice that the mac-addresses are the same as the original traffic. This will not work since the client and server on different subnets - the reset has to be routed so the destination mac-address of the reset should be set to the mac-address of snorts default gateway otherwise the router would never pull the packets off the wire for it to be routed. Are we missing a setting to get flex response working when the client and server exist on separate networks? ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Flex response layer 2 address issue Carl (Feb 02)
- Re: Snort Flex response layer 2 address issue Jeff Nathan (Feb 03)