Snort mailing list archives
Re: Snort Flex response layer 2 address issue
From: Jeff Nathan <jeff () snort org>
Date: Wed, 3 Feb 2010 09:01:05 -0500
Nope, I don't think you're missing anything. As written, sp_respond2 does exactly what you say it does when you configure link-layer responses. One solution would be to support the specification of the mac address of the next hop router when using link-layer injection. I'm actually surprised that no one spotted this sooner - it's been 6 years. :) -Jeff On Tue, Feb 2, 2010 at 11:37 PM, Carl <carl () nerd com> wrote:
We have snort running on a box with two nics, eth0 is configured as the management interface and eth2 is configured as the monitoring interface. We are mirroring all interesting traffic to eth2 of the snort box. We are trying to test the flex response, however, we never see the resets generated by snort reach the client or server. I ran a tcpdump on the snort boxes management interface and we see flex response is trying to send the resets, however, it seems to pull they layer2 info from the alert that triggered the flex response and uses it when sending the reset. Here is a capture of the traffic snort saw that generated the flex response 21:30:50.703838 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 58, id 52741, offset 0, flags [DF], proto TCP (6), length 52) x.x.x.163.39485 > y.y.y.20.80: Flags [F.], cksum 0x194a (correct), seq 2068258091, ack 3628601739, win 92, options [nop,nop,TS val 529950849 ecr 2742540099], length 0 Here is a capture of the reset that snort tries to send out 21:07:24.702620 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 44352, offset 0, flags [none], proto: TCP (6), length: 40) x.x.x.163.35652 > y.y.y.20.http: R, cksum 0xa867 (correct), 1675:1675(0) ack 1495 win 0 21:07:24.702601 00:0b:45:17:78:00 > 00:1d:b5:c4:ac:fe, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 64, id 17445, offset 0, flags [none], proto: TCP (6), length: 40) y.y.y..20.http > x.x.x.163.35652: R, cksum 0xa6f7 (correct), 1679:1679(0) ack 1859 win 0 Notice that the mac-addresses are the same as the original traffic. This will not work since the client and server on different subnets - the reset has to be routed so the destination mac-address of the reset should be set to the mac-address of snorts default gateway otherwise the router would never pull the packets off the wire for it to be routed. Are we missing a setting to get flex response working when the client and server exist on separate networks? ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Flex response layer 2 address issue Carl (Feb 02)
- Re: Snort Flex response layer 2 address issue Jeff Nathan (Feb 03)