[Snort-users] Snort Flex response layer 2 address issue

Carl carl at ...14760...
Tue Feb 2 23:37:41 EST 2010


We have snort running on a box with two nics, eth0 is configured as the 
management interface and eth2 is configured as the monitoring interface. 
We are mirroring all interesting traffic to eth2 of the snort box. We 
are trying to test the flex response, however, we never see the resets 
generated by snort reach the client or server. I ran a tcpdump on the 
snort boxes management interface and we see flex response is trying to 
send the resets, however, it seems to pull they layer2 info from the 
alert that triggered the flex response and uses it when sending the reset.

Here is a capture of the traffic snort saw that generated the flex response

21:30:50.703838 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4 
(0x0800), length 66: (tos 0x0, ttl 58, id 52741, offset 0, flags [DF], 
proto TCP (6), length 52)
     x.x.x.163.39485 > y.y.y.20.80: Flags [F.], cksum 0x194a (correct), 
seq 2068258091, ack 3628601739, win 92, options [nop,nop,TS val 
529950849 ecr 2742540099], length 0

Here is a capture of the reset that snort tries to send out

21:07:24.702620 00:1d:b5:c4:ac:fe > 00:0b:45:17:78:00, ethertype IPv4 
(0x0800), length 54: (tos 0x0, ttl  64, id 44352, offset 0, flags 
[none], proto: TCP (6), length: 40) x.x.x.163.35652 > y.y.y.20.http: R, 
cksum 0xa867 (correct), 1675:1675(0) ack 1495 win 0

21:07:24.702601 00:0b:45:17:78:00 > 00:1d:b5:c4:ac:fe, ethertype IPv4 
(0x0800), length 54: (tos 0x0, ttl  64, id 17445, offset 0, flags 
[none], proto: TCP (6), length: 40) y.y.y..20.http > x.x.x.163.35652: R, 
cksum 0xa6f7 (correct), 1679:1679(0) ack 1859 win 0

Notice that the mac-addresses are the same as the original traffic. 
This will not work since the client and server on different subnets - 
the reset has to be routed so the destination mac-address of the reset 
should be set to the mac-address of snorts default gateway otherwise the 
router would never pull the packets off the wire for it to be routed. 
Are we missing a setting to get flex response working when the client 
and server exist on separate networks?




More information about the Snort-users mailing list