[Snort-users] flexresp - I have 2 stupid questions
jeff at ...950...
Wed Nov 26 13:19:03 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
I was in the midst of replying to your first question when I saw this
one. The first message posed an excellent question and I want to make
sure that I do it justice when answering. I'll send that one out
soon.. more on that later, though.
The version of flexresp you're using will allow you to create ICMP host
and network unreachable messages to send in response to ICMP echo
requests. These are the only types of ICMP responses appropriate for
an ICMP echo request (as it relates to flexresp).
A log file isn't kept and it doesn't create special alerts to let you
know whether or not it's working.
The version of flexresp you're using is designed to send responses
primarily to the attacker. The odds are very high that the target has
received the packets by the time your Snort system can respond.
The new version of flexresp which is known as flexresp2 (which is still
being improved), is intended to knock down TCP connections and is
primarily focused on sending responses to only the target (or server).
To answer your previous email message, flexresp may not work as you've
currently configured it. When it sends a response it uses the routing
table on your computer to determine which network interface should be
used to transmit the response. If your "administrative" interface on
the Snort system has a default route, then it's possible the response
packets could make it back to the attacker. But, I can't say for
certain without having more information.
I was in the midst of writing a response to you that included an
example on how to test flexresp2 when I discovered an oversight in the
design of the new inline response functionality. I'd like to be more
helpful by sending you an example but before I send an example, I'd
like to make sure the new code functions as I think it ought to.
Here are some guidelines for using flexresp.
The current (old) version of flexresp uses the routing table of the
system on which it is running to determine which interface to send
The process of active response (which is the more general term for what
flexresp in Snort is trying to achieve: tearing down connections), is a
race between the attacker and the system attempting to perform the
active response. The attacker has an inherent advantage because his or
her packets are generated as a result of using the network.
Conversely, active response must create packets for the responses after
first identifying the "bad" network traffic.
Use TCP reset responses for TCP only. Use ICMP Port/Net or Host
unreachable responses for UDP. Use ICMP Net or Host unreachable
responses for ICMP packets. But, keep in mind that some ICMP packets
are error messages generated by an IP stack and others are
informational messages. The steadfast rule is that ICMP error messages
should not be generated as a response to an ICMP error message. So, if
your kernel's IP stack (or in this case, Snort) sees an ICMP error
message, it shouldn't generate another ICMP error message in response
to the first error. This could cause a war of ICMP error messages.
If you're sure that you've got your routing table setup properly and
that the administrative interface should have a way of sending packets
back to the attacker, and you're sure that your Snort rules apply to a
service running on the target, then you should be able to use a packet
sniffer and look for the responses generated by flexresp. Even if the
responses have no effect (because they're sent too late) you should see
On Nov 26, 2003, at 3:23 PM, Rich Stryker wrote:
> I have the libnetNT.dll in the winnt\system32 directory. I have pinged
> the servers that flexresp should be monitoring but I still get a
> response when i think I should be getting dropped packets.
> does flexresp write a log somewhere that I can see if it is loading
> properly or functioning properly or reading packets properly but is
> unable to respond to?
> -----Original Message-----
> From: Matt Kettler [mailto:mkettler at ...4108...]
> Sent: Wednesday, November 26, 2003 11:57
> To: Rich Stryker; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] flexresp - I have 2 stupid questions
> At 10:26 AM 11/26/2003, Rich Stryker wrote:
>> * If I have unbound TCP/IP on the outside NIC where I have set
>> flexresp, I have set the rules to send ICMP null responses, will
>> actually work?
> It should... flexresp uses libnet to generate the packets and does not
> on the local tcp/ip stack.
>> * How do you know if flexresp is working?
> Um.. test it?
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive? Does it
> help you create better code? SHARE THE LOVE, and help us help
> YOU! Click Here: http://sourceforge.net/donate/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD)
"Common sense is the collection of prejudices acquired by age
eighteen." - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-users