Snort mailing list archives
Re: How to use react under IPS mode correctly?
From: Hsuan-Yi Sung <newdominic () gmail com>
Date: Thu, 11 May 2017 17:10:22 +0800
I've run a quick test on Ubuntu 16.04 with daq-afpacket, just to check if the react plugin works fine. And it does response as designed. So I get back to FreeBSD and tried running Snort with netmap, the react plugin works without any problem now. Still can't figure out why the ipfw module failed to send the packets out of Snort. Here's how I start Snort: /usr/local/bin/snort -Q --daq ipfw --daq-mode inline -k none -i em1 -c /usr/local/etc/snort/snort.conf And here's my ipfw list: 00030 allow icmp from any to any via em1 00040 divert 8000 all from any to any via em1 00050 divert natd all from any to any via em0 00060 allow all from any to any Just a simple setting to divert every packets(except icmp) from em1 to port 8000(Snort with daq-ipfw). Am I missing some specific configuration for the ipfw module? Please let me know if you guys need more information. Thanks. 2017-05-08 14:22 GMT+08:00 Hsuan-Yi Sung <newdominic () gmail com>:
Yes, before I set the rule to stateless, Snort is blocking the active responses, which should be injected via Active_SendData() and Active_SendReset() in sp_react.c. I added some debug messages into the daq library, and it showed that the ipfw_daq_forward() function did return DAQ_SUCCESS while calling the functions mentioned above. I know it might be wrong making it stateless, just trying to figure out where and why the injected packets get blocked. I'll try the react plugin on other platforms these days for some cross-comparison. 2017-05-05 20:30 GMT+08:00 Russ <rucombs () cisco com>:That doesn't sound right. You shouldn't have to be stateless. Also, are you saying Snort is blocking your active responses? They should be sent from Snort but not through Snort. On 5/3/17 10:02 PM, Hsuan-Yi Sung wrote:Hi, I'm running Snort 2.9.8.3 on FreeBSD 10.3-RELEASE, under inline mode with daq-ipfw. I've been trying to use the "react" keyword in my rules to send a fake response page to client. At first, I tried the rules below: alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET"; react:msg; sid:1002; rev:001;) The client can't even make a successful handshake with the destination IP. After doing some research on sp_react.c (and some googling), I guess this must be triggered only after the connection established. So I added the "flow" keyword: alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET"; flow:established,from_client; react:msg; sid:1002; rev:001;) By using tcpdump, I can see the connection established, also the HTTP GET request packet. But the forged response still not showing. So I dig deeper, and found that in spp_stream6.c, static void StreamDropPacket( Packet *p ) { ... ... if (!(p->packet_flags & PKT_STATELESS)) session_api->drop_traffic(p, p->ssnptr, SSN_DIR_BOTH); } The drop_traffic function made all the injected packet blocked. Finally, I switched the parameter of "flow" to "stateless": alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET"; flow:stateless; react:msg; sid:1002; rev:001;) Now I can see the fake response page and connection reset packets. Not sure if I misunderstood the code or not, is this the right way to use "react" under inline mode? Do I have to treat the HTTP packet stateless? ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Best Regards, Hsuan-Yi Sung
-- Best Regards, Hsuan-Yi Sung ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to use react under IPS mode correctly? Hsuan-Yi Sung (May 03)
- Re: How to use react under IPS mode correctly? Russ (May 05)
- Re: How to use react under IPS mode correctly? Hsuan-Yi Sung (May 07)
- Re: How to use react under IPS mode correctly? Hsuan-Yi Sung (May 11)
- Re: How to use react under IPS mode correctly? Hsuan-Yi Sung (May 07)
- Re: How to use react under IPS mode correctly? Russ (May 05)