Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort tcp reset

From: Daniele Gallarato <daniele.gallarato () gmail com>
Date: Wed, 9 May 2012 09:13:58 +0200
Thanks.

I've configured snort.conf in this way:

#
config response: device eth0 attempts 1
#
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 8192, \
   max_udp 131072, \
   max_active_responses 0, \
   min_response_seconds 1


if I don't set max_active_responses to 0, it happens a strange thing: snort
try to reset all session that cause an alarm

In this way, it seems to work well, and snort send a tcp reset only for
sessions hat hits a resp:rst_all rule; but there is a problem: when snort
begin to reset a session, pc hit the rule it's blocked, it's flooded with
tcp resets, and it's impossible to rejoin the network, until I stop snort...
Anyone can help me to solve this (I hope last) problem?

Thanks.
Daniele
2012/5/9 Russ Combs <rcombs () sourcefire com>


Check under "CONFIGURE SNIPING" in README.active.


On Tue, May 8, 2012 at 8:44 AM, Daniele Gallarato <
daniele.gallarato () gmail com> wrote:


I've other information.

My snort is passive, it sniff from eth1 (a monitor interface on a cisco
switch), and is monitored with eth0 interface.
So, we need that tcp reset come to eth0 interface, but if I sniff traffic
with tcpdump, I can see that tcp reset is send through eth1, and eth1 can't
send traffic (due to monitor interface limitation).
With flexresp2 we can choose which interface use for reset

flexresp2 interface: eth0

but this configuration option is disappeared with flexresp3.

Anyone know how to address this problem?

Thank
Daniele


2012/5/8 Daniele Gallarato <daniele.gallarato () gmail com>


Sorry.

Anyone can address me to a documentation about tcp reset with flexresp3?

Thanks
Daniele


2012/5/4 Daniele Gallarato <daniele.gallarato () gmail com>


Yes.

I don't understand well the difference between flexresp3 (previously
I've used flexresp1, so I've tried to use flexresp3), and active-response.

If I configure

config response: device eth0 attempts 2


when snort hit a reset rule, it flood the network and I can't reach it
anymore...

Thanks


* Flexresp3 is new: the resp rule option keyword is used to configure
active
  responses for rules that fire.

    ./configure --enable-flexresp3

    alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)

* resp_t includes all flexresp and flexresp2 options:

    <resp_t> ::= \
        rst_snd | rst_rcv | rst_all | \
        reset_source | reset_dest | reset_both | icmp_net | \
        icmp_host | icmp_port | icmp_all

See README.flexresp3 for more.



2012/5/4 Russ Combs <rcombs () sourcefire com>


Did you check README.active?

On Fri, May 4, 2012 at 10:00 AM, Daniele Gallarato <
daniele.gallarato () gmail com> wrote:


Hello.

I've installed snort version 2.9.2.2 onto an ubuntu server
(2.6.32-41-server #88-Ubuntu SMP).

I've followed this good guide:


http://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CHsQFjAB&url=http%3A%2F%2Fwww.snort.org%2Fassets%2F158%2F014-snortinstallguide292.pdf&ei=zd-jT5vCBPTa4QSl0rifCQ&usg=AFQjCNGaL8nB1vZPRodUBX6IQluwufpbFQ&sig2=FqFj5w3hOXP1NBcn3gbxoQ

All seems to work properly.

Only thing that doesn't work is flexresp3.

In an old installation (2.4.3) with old flexresp, resets work.

In this new installation, I've compiled snort with:

./configure --prefix=/usr/local/snort --enable-sourcefire
--enable-active-response --enable-flexresp3
make
make install

and written some local.rules (they work) and some reset.rules (they
hit the rule, appear in reports, but doesn't reset).

Rule is:

alert tcp <my_ip> any -> $HOME_NET 3389 (resp: rst_all; msg:"Reset
Sessioni Remote Desktop" ; sid:200004;)

I've also checked packets with wireshark, I can't see any reset.

Any help will be appreciated.

Thanks
Daniele Gallarato



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!











------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: