[Snort-users] How to use react under IPS mode correctly?

Hsuan-Yi Sung newdominic at ...11827...
Wed May 3 22:02:57 EDT 2017


Hi,

I'm running Snort 2.9.8.3 on FreeBSD 10.3-RELEASE, under inline mode with
daq-ipfw.

I've been trying to use the "react" keyword in my rules to send a fake
response page to client.
At first, I tried the rules below:

alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET"; react:msg;
sid:1002; rev:001;)

The client can't even make a successful handshake with the destination IP.
After doing some research on sp_react.c (and some googling), I guess this
must be triggered only after the connection established. So I added the
"flow" keyword:

alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
flow:established,from_client; react:msg; sid:1002; rev:001;)

By using tcpdump, I can see the connection established, also the HTTP GET
request packet.
But the forged response still not showing.

So I dig deeper, and found that in spp_stream6.c,

static void StreamDropPacket( Packet *p ) {
...
...
    if (!(p->packet_flags & PKT_STATELESS))
        session_api->drop_traffic(p, p->ssnptr, SSN_DIR_BOTH);
}

The drop_traffic function made all the injected packet blocked.
Finally, I switched the parameter of "flow" to "stateless":

alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
flow:stateless; react:msg; sid:1002; rev:001;)

Now I can see the fake response page and connection reset packets.

Not sure if I misunderstood the code or not, is this the right way to use
"react" under inline mode?
Do I have to treat the HTTP packet stateless?



More information about the Snort-users mailing list