[Snort-users] Snort tcp reset

Russ Combs rcombs at ...1935...
Wed May 9 00:38:10 EDT 2012


Check under "CONFIGURE SNIPING" in README.active.

On Tue, May 8, 2012 at 8:44 AM, Daniele Gallarato <
daniele.gallarato at ...11827...> wrote:

> I've other information.
>
> My snort is passive, it sniff from eth1 (a monitor interface on a cisco
> switch), and is monitored with eth0 interface.
> So, we need that tcp reset come to eth0 interface, but if I sniff traffic
> with tcpdump, I can see that tcp reset is send through eth1, and eth1 can't
> send traffic (due to monitor interface limitation).
> With flexresp2 we can choose which interface use for reset
>
> flexresp2 interface: eth0
>
> but this configuration option is disappeared with flexresp3.
>
> Anyone know how to address this problem?
>
> Thank
> Daniele
>
>
> 2012/5/8 Daniele Gallarato <daniele.gallarato at ...11827...>
>
>> Sorry.
>>
>> Anyone can address me to a documentation about tcp reset with flexresp3?
>>
>> Thanks
>> Daniele
>>
>>
>> 2012/5/4 Daniele Gallarato <daniele.gallarato at ...11827...>
>>
>>> Yes.
>>>
>>> I don't understand well the difference between flexresp3 (previously
>>> I've used flexresp1, so I've tried to use flexresp3), and active-response.
>>>
>>> If I configure
>>>
>>> config response: device eth0 attempts 2
>>>
>>>
>>> when snort hit a reset rule, it flood the network and I can't reach it
>>> anymore...
>>>
>>> Thanks
>>>
>>>
>>> * Flexresp3 is new: the resp rule option keyword is used to configure
>>> active
>>>   responses for rules that fire.
>>>
>>>     ./configure --enable-flexresp3
>>>
>>>     alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)
>>>
>>> * resp_t includes all flexresp and flexresp2 options:
>>>
>>>     <resp_t> ::= \
>>>         rst_snd | rst_rcv | rst_all | \
>>>         reset_source | reset_dest | reset_both | icmp_net | \
>>>         icmp_host | icmp_port | icmp_all
>>>
>>> See README.flexresp3 for more.
>>>
>>>
>>>
>>> 2012/5/4 Russ Combs <rcombs at ...1935...>
>>>
>>>> Did you check README.active?
>>>>
>>>> On Fri, May 4, 2012 at 10:00 AM, Daniele Gallarato <
>>>> daniele.gallarato at ...11827...> wrote:
>>>>
>>>>> Hello.
>>>>>
>>>>> I've installed snort version 2.9.2.2 onto an ubuntu server
>>>>> (2.6.32-41-server #88-Ubuntu SMP).
>>>>>
>>>>> I've followed this good guide:
>>>>>
>>>>>
>>>>> http://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CHsQFjAB&url=http%3A%2F%2Fwww.snort.org%2Fassets%2F158%2F014-snortinstallguide292.pdf&ei=zd-jT5vCBPTa4QSl0rifCQ&usg=AFQjCNGaL8nB1vZPRodUBX6IQluwufpbFQ&sig2=FqFj5w3hOXP1NBcn3gbxoQ
>>>>>
>>>>> All seems to work properly.
>>>>>
>>>>> Only thing that doesn't work is flexresp3.
>>>>>
>>>>> In an old installation (2.4.3) with old flexresp, resets work.
>>>>>
>>>>> In this new installation, I've compiled snort with:
>>>>>
>>>>> ./configure --prefix=/usr/local/snort --enable-sourcefire
>>>>> --enable-active-response --enable-flexresp3
>>>>> make
>>>>> make install
>>>>>
>>>>> and written some local.rules (they work) and some reset.rules (they
>>>>> hit the rule, appear in reports, but doesn't reset).
>>>>>
>>>>> Rule is:
>>>>>
>>>>> alert tcp <my_ip> any -> $HOME_NET 3389 (resp: rst_all; msg:"Reset
>>>>> Sessioni Remote Desktop" ; sid:200004;)
>>>>>
>>>>> I've also checked packets with wireshark, I can't see any reset.
>>>>>
>>>>> Any help will be appreciated.
>>>>>
>>>>> Thanks
>>>>> Daniele Gallarato
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Live Security Virtual Conference
>>>>> Exclusive live event will cover all the ways today's security and
>>>>> threat landscape has changed and how IT managers can respond.
>>>>> Discussions
>>>>> will include endpoint security, mobile security and the latest in
>>>>> malware
>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>>> Snort news!
>>>>>
>>>>
>>>>
>>>
>>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120509/29fc77d5/attachment.html>


More information about the Snort-users mailing list