[Snort-users] More explanation needed in Snort User Manual for "resp:"?

Jeff Nathan jeff at ...950...
Thu Nov 20 14:57:01 EST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Nov 6, 2003, at 4:58 PM, Kristofer T. Karas wrote:

[...]

> Because most interfaces used to receive promiscuously-captured packets 
> are set up for passive monitoring: they often span multiple VLANs or 
> trunks; injecting packets along the same path would result in a 
> one-to-many problem on the receiving end.  For this very reason, most 
> network admins I've talked with literally cut the transmit pair on the 
> network cable to prevent this.  For those using a Cisco setup, 
> spanning VLANs to a monitor port makes that port transmit-only.  For 
> those that consolidate multiple monitor ports into a single feed to 
> Snort (by way of using a dedicated switch) will have an exacerbated 
> problem when trying to send data back along the consolidated feed.

A funny analogy for that might be "some fish swim upstream but Ethernet 
over twisted pair needs a balanced transmit line and a balanced receive 
line" (heh)

> For these reasons (and the TAP mentioned) I am very grateful that 
> Snort sends flexresp[2] packets via the OS's routing table.  After 
> all, you can always add a route to send them out the promiscuous 
> interface if that's what strikes your fancy.

As you mention above, Flexresp2 gives you flexibility to send the 
responses using the routing table (just like flexresp did).  And as 
other people have mentioned, it also provides the ability to specify an 
interface to use for sending responses.  Hopefully by supporting both 
mechanisms I've addressed the necessary functionality.

I doubt it's perfect, but I think it's what people wanted.

> To deal with the NAT issues, just place your promiscuous feed inbound 
> from your NAT box, e.g. in your DMZ.  Snort will only see your inside 
> IP addresses, which is, after all, what you really want anyway; 
> there's no point in reporting issues with a shared IP address, as you 
> can't (in general) track that back to a specific post-NAT machine.
>
> Kris

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"I want to know God's thoughts... the rest are details."   - Albert 
Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/vUaHEqr8+Gkj0/0RAgs8AKConaZgMSuycvyiq8dIw2IWKAAuewCeN+eD
zvuWblrlK/02MNg+I0kcAsg=
=UZJm
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list