[Snort-users] Snort Flex response layer 2 address issue
carl at ...14760...
Tue Feb 2 23:37:41 EST 2010
We have snort running on a box with two nics, eth0 is configured as the
management interface and eth2 is configured as the monitoring interface.
We are mirroring all interesting traffic to eth2 of the snort box. We
are trying to test the flex response, however, we never see the resets
generated by snort reach the client or server. I ran a tcpdump on the
snort boxes management interface and we see flex response is trying to
send the resets, however, it seems to pull they layer2 info from the
alert that triggered the flex response and uses it when sending the reset.
Here is a capture of the traffic snort saw that generated the flex response
21:30:50.703838 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 58, id 52741, offset 0, flags [DF],
proto TCP (6), length 52)
x.x.x.163.39485 > y.y.y.20.80: Flags [F.], cksum 0x194a (correct),
seq 2068258091, ack 3628601739, win 92, options [nop,nop,TS val
529950849 ecr 2742540099], length 0
Here is a capture of the reset that snort tries to send out
21:07:24.702620 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4
(0x0800), length 54: (tos 0x0, ttl 64, id 44352, offset 0, flags
[none], proto: TCP (6), length: 40) x.x.x.163.35652 > y.y.y.20.http: R,
cksum 0xa867 (correct), 1675:1675(0) ack 1495 win 0
21:07:24.702601 00:0b:45:17:78:00 > 00:1d:b5:c4:ac:fe, ethertype IPv4
(0x0800), length 54: (tos 0x0, ttl 64, id 17445, offset 0, flags
[none], proto: TCP (6), length: 40) y.y.y..20.http > x.x.x.163.35652: R,
cksum 0xa6f7 (correct), 1679:1679(0) ack 1859 win 0
Notice that the mac-addresses are the same as the original traffic.
This will not work since the client and server on different subnets -
the reset has to be routed so the destination mac-address of the reset
should be set to the mac-address of snorts default gateway otherwise the
router would never pull the packets off the wire for it to be routed.
Are we missing a setting to get flex response working when the client
and server exist on separate networks?
More information about the Snort-users