[Snort-users] WAN IPS + LAN Snort IDS: Signature events visible on both sides?

Al Lewis (allewi) allewi at cisco.com
Tue Dec 18 15:52:22 EST 2018

Not sure I understand the question, but the signature/event packet that alerts probably wont have the reset.

Have you tried capturing the traffic (with another tool) or tagging the snort event (to see traffic around the time of alert)?

If you run snort inline (i.e afpacket) you can dump the daq to see the traffic handled. You may see the reset packet there.

Albert Lewis
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Snort IPS via Snort-users <snort-users at lists.snort.org>
Reply-To: Snort IPS <snortvsips at gmail.com>
Date: Tuesday, December 18, 2018 at 3:19 PM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [Snort-users] WAN IPS + LAN Snort IDS: Signature events visible on both sides?

I currently use snort as a backup IDS to inspect LAN traffic.  I find myself in the unusual position that a commercial IPS that I have deployed on the WAN side will identify signatures and label them as blocked, but our Snort IDS on the LAN side sees the exact same signature events on our LAN side.  I must be old, but I was certain that blocked traffic at our WAN edge IPS system should NOT be visible by our internal LAN snort IDS.

The commercial IPS claims that a TCP reset flag is set to break the connection to prevent the exploit payload from delivering, but I don't see the flag within the same signature packet on the LAN side.

I don't know if I'm just stupid and unaware of this newer firewall technique, or if the commercial IPS that we use is broken in some way (intentional or otherwise).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20181218/0049b256/attachment.html>

More information about the Snort-users mailing list