[Snort-users] Snort tcp reset

Russ Combs rcombs at ...1935...
Wed May 9 08:43:52 EDT 2012


On Wed, May 9, 2012 at 3:13 AM, Daniele Gallarato <
daniele.gallarato at ...11827...> wrote:

> Thanks.
>
> I've configured snort.conf in this way:
>
> #
> config response: device eth0 attempts 1
> #
> preprocessor stream5_global: track_tcp yes, \
>    track_udp yes, \
>    track_icmp no, \
>    max_tcp 8192, \
>    max_udp 131072, \
>    max_active_responses 0, \
>    min_response_seconds 1
>
>
> if I don't set max_active_responses to 0, it happens a strange thing:
> snort try to reset all session that cause an alarm
>

That is what it is supposed to do.  If you just want specific rules, then
use the resp keyword.

>
> In this way, it seems to work well, and snort send a tcp reset only for
> sessions hat hits a resp:rst_all rule; but there is a problem: when snort
> begin to reset a session, pc hit the rule it's blocked, it's flooded with
> tcp resets, and it's impossible to rejoin the network, until I stop snort...
> Anyone can help me to solve this (I hope last) problem?
>

Can you send a pcap of this?

>
> Thanks.
> Daniele
> 2012/5/9 Russ Combs <rcombs at ...1935...>
>
>> Check under "CONFIGURE SNIPING" in README.active.
>>
>>
>> On Tue, May 8, 2012 at 8:44 AM, Daniele Gallarato <
>> daniele.gallarato at ...11827...> wrote:
>>
>>> I've other information.
>>>
>>> My snort is passive, it sniff from eth1 (a monitor interface on a cisco
>>> switch), and is monitored with eth0 interface.
>>> So, we need that tcp reset come to eth0 interface, but if I sniff
>>> traffic with tcpdump, I can see that tcp reset is send through eth1, and
>>> eth1 can't send traffic (due to monitor interface limitation).
>>> With flexresp2 we can choose which interface use for reset
>>>
>>> flexresp2 interface: eth0
>>>
>>> but this configuration option is disappeared with flexresp3.
>>>
>>> Anyone know how to address this problem?
>>>
>>> Thank
>>> Daniele
>>>
>>>
>>> 2012/5/8 Daniele Gallarato <daniele.gallarato at ...11827...>
>>>
>>>> Sorry.
>>>>
>>>> Anyone can address me to a documentation about tcp reset with flexresp3?
>>>>
>>>> Thanks
>>>> Daniele
>>>>
>>>>
>>>> 2012/5/4 Daniele Gallarato <daniele.gallarato at ...11827...>
>>>>
>>>>> Yes.
>>>>>
>>>>> I don't understand well the difference between flexresp3 (previously
>>>>> I've used flexresp1, so I've tried to use flexresp3), and active-response.
>>>>>
>>>>> If I configure
>>>>>
>>>>> config response: device eth0 attempts 2
>>>>>
>>>>>
>>>>> when snort hit a reset rule, it flood the network and I can't reach it
>>>>> anymore...
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>> * Flexresp3 is new: the resp rule option keyword is used to configure
>>>>> active
>>>>>   responses for rules that fire.
>>>>>
>>>>>     ./configure --enable-flexresp3
>>>>>
>>>>>     alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)
>>>>>
>>>>> * resp_t includes all flexresp and flexresp2 options:
>>>>>
>>>>>     <resp_t> ::= \
>>>>>         rst_snd | rst_rcv | rst_all | \
>>>>>         reset_source | reset_dest | reset_both | icmp_net | \
>>>>>         icmp_host | icmp_port | icmp_all
>>>>>
>>>>> See README.flexresp3 for more.
>>>>>
>>>>>
>>>>>
>>>>> 2012/5/4 Russ Combs <rcombs at ...1935...>
>>>>>
>>>>>> Did you check README.active?
>>>>>>
>>>>>> On Fri, May 4, 2012 at 10:00 AM, Daniele Gallarato <
>>>>>> daniele.gallarato at ...11827...> wrote:
>>>>>>
>>>>>>> Hello.
>>>>>>>
>>>>>>> I've installed snort version 2.9.2.2 onto an ubuntu server
>>>>>>> (2.6.32-41-server #88-Ubuntu SMP).
>>>>>>>
>>>>>>> I've followed this good guide:
>>>>>>>
>>>>>>>
>>>>>>> http://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CHsQFjAB&url=http%3A%2F%2Fwww.snort.org%2Fassets%2F158%2F014-snortinstallguide292.pdf&ei=zd-jT5vCBPTa4QSl0rifCQ&usg=AFQjCNGaL8nB1vZPRodUBX6IQluwufpbFQ&sig2=FqFj5w3hOXP1NBcn3gbxoQ
>>>>>>>
>>>>>>> All seems to work properly.
>>>>>>>
>>>>>>> Only thing that doesn't work is flexresp3.
>>>>>>>
>>>>>>> In an old installation (2.4.3) with old flexresp, resets work.
>>>>>>>
>>>>>>> In this new installation, I've compiled snort with:
>>>>>>>
>>>>>>> ./configure --prefix=/usr/local/snort --enable-sourcefire
>>>>>>> --enable-active-response --enable-flexresp3
>>>>>>> make
>>>>>>> make install
>>>>>>>
>>>>>>> and written some local.rules (they work) and some reset.rules (they
>>>>>>> hit the rule, appear in reports, but doesn't reset).
>>>>>>>
>>>>>>> Rule is:
>>>>>>>
>>>>>>> alert tcp <my_ip> any -> $HOME_NET 3389 (resp: rst_all; msg:"Reset
>>>>>>> Sessioni Remote Desktop" ; sid:200004;)
>>>>>>>
>>>>>>> I've also checked packets with wireshark, I can't see any reset.
>>>>>>>
>>>>>>> Any help will be appreciated.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Daniele Gallarato
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Live Security Virtual Conference
>>>>>>> Exclusive live event will cover all the ways today's security and
>>>>>>> threat landscape has changed and how IT managers can respond.
>>>>>>> Discussions
>>>>>>> will include endpoint security, mobile security and the latest in
>>>>>>> malware
>>>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>>> Snort-users list archive:
>>>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>>>>
>>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>>>> latest Snort news!
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120509/e5991d18/attachment.html>


More information about the Snort-users mailing list