[Snort-users] More explanation needed in Snort User Manual for "resp:"?

Jason Haar Jason.Haar at ...294...
Thu Nov 6 12:54:09 EST 2003


Under the "Resp" section of the Snort User Manual:

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.22

it tells you how to use "resp" to do the ICMP/TCP-RSET thang.

What it doesn't tell you is that flexresp just drops those "spoofed" packets
onto the OS IP stack. i.e. those packets tend to fall out the default
gateway interface - instead of (as I assumed) - the same interface the
packet was seen on...

This is rather important, because if you are like me, you have eth0 being
the only Ethernet card with an address, and you are monitoring things like
DMZes behind PIX (NATing) firewalls. Now, when an Internet address (say
1.2.3.4) connects to your DMZ Web server (say: 4.3.2.1), Snort actually sees
1.2.3.4 talking to (say) 192.168.2.1 - as 4.3.2.1 has been NATed. As you can
imagine, the "resp" packets are never going to match up. The only way they
can is if the "resp" packets was pushed out the same interface the offending
packet was seen on. Then any NAT devices in front of them would remap them
correctly.

I've looked at flexresp2, and it allows you to explicitly configure which
interface RESET packets are set through - which is almost there. But this
still seems like a bug to me, as I can't think of a reason why you would
ever want the packet to leave through anything other than the interface it
was seen on! [well, except one: TAPs - but that's pretty special case]

Am I missing something here?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list