Re: Snort Flex response layer 2 address issue

[Jeff Nathan <jeff () snort org>]

Nope, I don't think you're missing anything.  As written, sp_respond2
does exactly what you say it does when you configure link-layer
responses.  One solution would be to support the specification of the
mac address of the next hop router when using link-layer injection.

I'm actually surprised that no one spotted this sooner - it's been 6 years. :)

-Jeff

On Tue, Feb 2, 2010 at 11:37 PM, Carl <carl () nerd com> wrote:
> We have snort running on a box with two nics, eth0 is configured as the
> management interface and eth2 is configured as the monitoring interface.
> We are mirroring all interesting traffic to eth2 of the snort box. We
> are trying to test the flex response, however, we never see the resets
> generated by snort reach the client or server. I ran a tcpdump on the
> snort boxes management interface and we see flex response is trying to
> send the resets, however, it seems to pull they layer2 info from the
> alert that triggered the flex response and uses it when sending the reset.
>
> Here is a capture of the traffic snort saw that generated the flex response
>
> 21:30:50.703838 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4
> (0x0800), length 66: (tos 0x0, ttl 58, id 52741, offset 0, flags [DF],
> proto TCP (6), length 52)
>     x.x.x.163.39485 > y.y.y.20.80: Flags [F.], cksum 0x194a (correct),
> seq 2068258091, ack 3628601739, win 92, options [nop,nop,TS val
> 529950849 ecr 2742540099], length 0
>
> Here is a capture of the reset that snort tries to send out
>
> 21:07:24.702620 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4
> (0x0800), length 54: (tos 0x0, ttl  64, id 44352, offset 0, flags
> [none], proto: TCP (6), length: 40) x.x.x.163.35652 > y.y.y.20.http: R,
> cksum 0xa867 (correct), 1675:1675(0) ack 1495 win 0
>
> 21:07:24.702601 00:0b:45:17:78:00 > 00:1d:b5:c4:ac:fe, ethertype IPv4
> (0x0800), length 54: (tos 0x0, ttl  64, id 17445, offset 0, flags
> [none], proto: TCP (6), length: 40) y.y.y..20.http > x.x.x.163.35652: R,
> cksum 0xa6f7 (correct), 1679:1679(0) ack 1859 win 0
>
> Notice that the mac-addresses are the same as the original traffic.
> This will not work since the client and server on different subnets -
> the reset has to be routed so the destination mac-address of the reset
> should be set to the mac-address of snorts default gateway otherwise the
> router would never pull the packets off the wire for it to be routed.
> Are we missing a setting to get flex response working when the client
> and server exist on separate networks?
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users