[Snort-users] Flex-Response, anyone using it?

Jason security at ...5028...
Wed May 19 19:49:02 EDT 2004


I have never used this method for this case but similar cases before. I 
think you can solve the interface problem by adding an additional 
interface, providing it any address, creating routes for your HOME_NET 
to use that interface, add different routes for the network you use to 
manage out the actual interface.

If you use the example provided below then add an iptables/whatever rule 
do drop any packets arriving on the response interface into the bit 
bucket to prevent any traffic from entering using the injection interface.

Also drop into the bit bucket any that have a source or dest address in 
the 127.0.0.0 net to prevent possibly polluting the wire with loopback 
traffic.

It will be a few weeks before I can get around to testing it for this 
case so if anyone wants to give it a try and confirm functionality "that 
would be great".

Don't forget... When you report your test results back to the list do 
not forget that the TPS report has a new format, didn't you read the memo.

example

[root at ...11832... root]# ifconfig eth1 127.0.0.2
[root at ...11832... root]# ifconfig eth1 up
[root at ...11832... root]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:90:27:F1:3B:6F
           inet addr:127.0.0.2  Bcast:127.255.255.255  Mask:255.0.0.0
           UP BROADCAST MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
           Interrupt:6 Base address:0xde80 Memory:ff8fe000-ff8fe038

[root at ...11832... root]# route add -net 12.110.1.0 netmask 255.255.255.0 dev eth1
[root at ...11832... root]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
12.110.1.0      0.0.0.0         255.255.255.0   U         0 0          0 
eth1
172.16.18.0     0.0.0.0         255.255.255.0   U         0 0          0 
eth0
192.168.215.0   0.0.0.0         255.255.255.0   U         0 0          0 
vmnet8
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 
eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 
eth1
0.0.0.0         172.16.18.1     0.0.0.0         UG        0 0          0 
eth0



James Riden wrote:
> Jason Haar <Jason.Haar at ...294...> writes:
> 
> 
>>On Wed, May 19, 2004 at 03:04:28PM -0500, Paul Schmehl wrote:
>>
>>>>I'm curious to know how many people, if any, are using Flex-Response and
>>>>what kind of results they have seen?  I've been using it for some P2P
>>>>rules but haven't actually tested it from the client.  Any information
>>>>would be greatly appreciated.
>>
>>We use it and it works well. We've turned it on for specific rules - such as
>>BLASTER and Sasser exploits. 
>>
>>However you much appreciate it relies VERY much on your network
>>configuration. All TCP RSETs are sent from eth0 (your primary Ethernet
>>interface) with spoofed IP addresses. 
> 
> 
> Not true on my setup; it goes on the OS routing table AFAICT. My setup
> is eth0 without an IP address, hence no routes, so eth1 gets used for
> flexresp traffic.
> 
> cheers,
>  Jamie





More information about the Snort-users mailing list