[Snort-users] Flex-Response, anyone using it?
security at ...5028...
Wed May 19 19:49:02 EDT 2004
I have never used this method for this case but similar cases before. I
think you can solve the interface problem by adding an additional
interface, providing it any address, creating routes for your HOME_NET
to use that interface, add different routes for the network you use to
manage out the actual interface.
If you use the example provided below then add an iptables/whatever rule
do drop any packets arriving on the response interface into the bit
bucket to prevent any traffic from entering using the injection interface.
Also drop into the bit bucket any that have a source or dest address in
the 127.0.0.0 net to prevent possibly polluting the wire with loopback
It will be a few weeks before I can get around to testing it for this
case so if anyone wants to give it a try and confirm functionality "that
would be great".
Don't forget... When you report your test results back to the list do
not forget that the TPS report has a new format, didn't you read the memo.
[root at ...11832... root]# ifconfig eth1 127.0.0.2
[root at ...11832... root]# ifconfig eth1 up
[root at ...11832... root]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:90:27:F1:3B:6F
inet addr:127.0.0.2 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:6 Base address:0xde80 Memory:ff8fe000-ff8fe038
[root at ...11832... root]# route add -net 18.104.22.168 netmask 255.255.255.0 dev eth1
[root at ...11832... root]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
22.214.171.124 0.0.0.0 255.255.255.0 U 0 0 0
172.16.18.0 0.0.0.0 255.255.255.0 U 0 0 0
192.168.215.0 0.0.0.0 255.255.255.0 U 0 0 0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
0.0.0.0 172.16.18.1 0.0.0.0 UG 0 0 0
James Riden wrote:
> Jason Haar <Jason.Haar at ...294...> writes:
>>On Wed, May 19, 2004 at 03:04:28PM -0500, Paul Schmehl wrote:
>>>>I'm curious to know how many people, if any, are using Flex-Response and
>>>>what kind of results they have seen? I've been using it for some P2P
>>>>rules but haven't actually tested it from the client. Any information
>>>>would be greatly appreciated.
>>We use it and it works well. We've turned it on for specific rules - such as
>>BLASTER and Sasser exploits.
>>However you much appreciate it relies VERY much on your network
>>configuration. All TCP RSETs are sent from eth0 (your primary Ethernet
>>interface) with spoofed IP addresses.
> Not true on my setup; it goes on the OS routing table AFAICT. My setup
> is eth0 without an IP address, hence no routes, so eth1 gets used for
> flexresp traffic.
More information about the Snort-users