[Snort-users] flexresp - I have 2 stupid questions

Jeff Nathan jeff at ...950...
Wed Nov 26 13:19:03 EST 2003

Hash: SHA1


I was in the midst of replying to your first question when I saw this 
one.  The first message posed an excellent question and I want to make 
sure that I do it justice when answering.  I'll send that one out 
soon.. more on that later, though.

The version of flexresp you're using will allow you to create ICMP host 
and network unreachable messages to send in response to ICMP echo 
requests.  These are the only types of ICMP responses appropriate for 
an ICMP echo request (as it relates to flexresp).

A log file isn't kept and it doesn't create special alerts to let you 
know whether or not it's working.

The version of flexresp you're using is designed to send responses 
primarily to the attacker.  The odds are very high that the target has 
received the packets by the time your Snort system can respond.

The new version of flexresp which is known as flexresp2 (which is still 
being improved), is intended to knock down TCP connections and is 
primarily focused on sending responses to only the target (or server).

To answer your previous email message, flexresp may not work as you've 
currently configured it.  When it sends a response it uses the routing 
table on your computer to determine which network interface should be 
used to transmit the response.  If your "administrative" interface on 
the Snort system has a default route, then it's possible the response 
packets could make it back to the attacker.  But, I can't say for 
certain without having more information.

I was in the midst of writing a response to you that included an 
example on how to test flexresp2 when I discovered an oversight in the 
design of the new inline response functionality.  I'd like to be more 
helpful by sending you an example but before I send an example, I'd 
like to make sure the new code functions as I think it ought to.

Here are some guidelines for using flexresp.

The current (old) version of flexresp uses the routing table of the 
system on which it is running to determine which interface to send 
responses from.

The process of active response (which is the more general term for what 
flexresp in Snort is trying to achieve: tearing down connections), is a 
race between the attacker and the system attempting to perform the 
active response.  The attacker has an inherent advantage because his or 
her packets are generated as a result of using the network.  
Conversely, active response must create packets for the responses after 
first identifying the "bad" network traffic.

Use TCP reset responses for TCP only.  Use ICMP Port/Net or Host 
unreachable responses for UDP.  Use ICMP Net or Host unreachable 
responses for ICMP packets.  But, keep in mind that some ICMP packets 
are error messages generated by an IP stack and others are 
informational messages.  The steadfast rule is that ICMP error messages 
should not be generated as a response to an ICMP error message.  So, if 
your kernel's IP stack (or in this case, Snort) sees an ICMP error 
message, it shouldn't generate another ICMP error message in response 
to the first error.  This could cause a war of ICMP error messages.

If you're sure that you've got your routing table setup properly and 
that the administrative interface should have a way of sending packets 
back to the attacker, and you're sure that your Snort rules apply to a 
service running on the target, then you should be able to use a packet 
sniffer and look for the responses generated by flexresp.  Even if the 
responses have no effect (because they're sent too late) you should see 

Take care,

- -Jeff

On Nov 26, 2003, at 3:23 PM, Rich Stryker wrote:

> I have the libnetNT.dll in the winnt\system32 directory. I have pinged 
> the servers that flexresp should be monitoring but I still get a 
> response when i think I should be getting dropped packets.
> does flexresp write a log somewhere that I can see if it is loading 
> properly or functioning properly or reading packets properly but is 
> unable to respond to?
> -----Original Message-----
> From: Matt Kettler [mailto:mkettler at ...4108...]
> Sent: Wednesday, November 26, 2003 11:57
> To: Rich Stryker; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] flexresp - I have 2 stupid questions
> At 10:26 AM 11/26/2003, Rich Stryker wrote:
>> *       If I have unbound TCP/IP on the outside NIC where I have set
>> flexresp, I have set the rules to send ICMP null responses, will 
>> flexresp
>> actually work?
> It should... flexresp uses libnet to generate the packets and does not 
> rely
> on the local tcp/ip stack.
>> *       How do you know if flexresp is working?
> Um.. test it?
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?  SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"Common sense is the collection of prejudices acquired by age
eighteen."   - Albert Einstein

Version: GnuPG v1.2.3 (Darwin)


More information about the Snort-users mailing list