[Snort-users] How to use react under IPS mode correctly?

Hsuan-Yi Sung newdominic at ...11827...
Mon May 8 02:22:46 EDT 2017


Yes, before I set the rule to stateless, Snort is blocking the active
responses, which should be injected via Active_SendData() and
Active_SendReset() in sp_react.c.

I added some debug messages into the daq library, and it showed that the
ipfw_daq_forward() function did return DAQ_SUCCESS while calling the
functions mentioned above.

I know it might be wrong making it stateless, just trying to figure out
where and why the injected packets get blocked.

I'll try the react plugin on other platforms these days for some
cross-comparison.

2017-05-05 20:30 GMT+08:00 Russ <rucombs at ...589...>:

> That doesn't sound right.  You shouldn't have to be stateless. Also, are
> you saying Snort is blocking your active responses?  They should be sent
> from Snort but not through Snort.
>
>
> On 5/3/17 10:02 PM, Hsuan-Yi Sung wrote:
>
>> Hi,
>>
>> I'm running Snort 2.9.8.3 on FreeBSD 10.3-RELEASE, under inline mode with
>> daq-ipfw.
>>
>> I've been trying to use the "react" keyword in my rules to send a fake
>> response page to client.
>> At first, I tried the rules below:
>>
>> alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
>> react:msg;
>> sid:1002; rev:001;)
>>
>> The client can't even make a successful handshake with the destination IP.
>> After doing some research on sp_react.c (and some googling), I guess this
>> must be triggered only after the connection established. So I added the
>> "flow" keyword:
>>
>> alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
>> flow:established,from_client; react:msg; sid:1002; rev:001;)
>>
>> By using tcpdump, I can see the connection established, also the HTTP GET
>> request packet.
>> But the forged response still not showing.
>>
>> So I dig deeper, and found that in spp_stream6.c,
>>
>> static void StreamDropPacket( Packet *p ) {
>> ...
>> ...
>>      if (!(p->packet_flags & PKT_STATELESS))
>>          session_api->drop_traffic(p, p->ssnptr, SSN_DIR_BOTH);
>> }
>>
>> The drop_traffic function made all the injected packet blocked.
>> Finally, I switched the parameter of "flow" to "stateless":
>>
>> alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
>> flow:stateless; react:msg; sid:1002; rev:001;)
>>
>> Now I can see the fake response page and connection reset packets.
>>
>> Not sure if I misunderstood the code or not, is this the right way to use
>> "react" under inline mode?
>> Do I have to treat the HTTP packet stateless?
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>


-- 
Best Regards,
Hsuan-Yi Sung



More information about the Snort-users mailing list