[Snort-devel] React with InlineMode

Giacomo Tesio development.comunications at ...2499...
Tue Jun 10 10:25:37 EDT 2008


Ok...

Just another question: today reading the documentation patch (I patched the
snort_manual.tex first, it's one best practice of ours) and talking about
the new features with the collegue designing the "network use case" (Davide
Diana, who identified the first react bug we are fixing, about the missing
ACK flag in sent packets) we realized that a completely new plugin (working
only with inline rules), could be a cleaner solution.

React was a funny network hack, but Inline Mode offer better solutions to
block dangerous/forbidden content at all, without disclosing to the
attacker/forbidden server information about the snort presence (and
version).


Since it's done, we will actually send back the fixes we have done to
sp_react.c (let me clean it a bit :-D), but what do you think about a new
"warn" keyword available only on inline rules (drop, sdrop and reject).

Such a keyword would make snort to send a warning to the destination of the
matched packet (aka the "victim").
I'd like to send different warnings to different protocols, but I have no
time, so only http warnings will be implemented (but IRC warning, for
example, could be quite easy to implement).


What do you think about this?

I think that such a system could be really useful in many IPS
configurations.
Note that those are just ideas... If you think react is enough, let me
know... :-D


Giacomo


2008/6/10, Steven Sturges <steve.sturges at ...402...>:
>
> Hi Giacomo--
>
> Yes, please send patches to this list.
>
> There should be a number of developers interested to see your work,
> as well as comment on additional features or recommend changes.
>
> Cheers.
> -steve
>

-- 
Giacomo Tesio
http://www.tesio.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20080610/0de0756e/attachment.html>


More information about the Snort-devel mailing list