Not sure I understand the question, but the signature/event packet that alerts probably wont have the reset.

 

Have you tried capturing the traffic (with another tool) or tagging the snort event (to see traffic around the time of alert)?

 

If you run snort inline (i.e afpacket) you can dump the daq to see the traffic handled. You may see the reset packet there.

 

 

Albert Lewis

ENGINEER.SOFTWARE ENGINEERING

Cisco Systems Inc.

Email: allewi@cisco.com 

 

 

From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of Snort IPS via Snort-users <snort-users@lists.snort.org>
Reply-To: Snort IPS <snortvsips@gmail.com>
Date: Tuesday, December 18, 2018 at 3:19 PM
To: "snort-users@lists.snort.org" <snort-users@lists.snort.org>
Subject: [Snort-users] WAN IPS + LAN Snort IDS: Signature events visible on both sides?

 

I currently use snort as a backup IDS to inspect LAN traffic.  I find myself in the unusual position that a commercial IPS that I have deployed on the WAN side will identify signatures and label them as blocked, but our Snort IDS on the LAN side sees the exact same signature events on our LAN side.  I must be old, but I was certain that blocked traffic at our WAN edge IPS system should NOT be visible by our internal LAN snort IDS.

 

The commercial IPS claims that a TCP reset flag is set to break the connection to prevent the exploit payload from delivering, but I don't see the flag within the same signature packet on the LAN side.

 

I don't know if I'm just stupid and unaware of this newer firewall technique, or if the commercial IPS that we use is broken in some way (intentional or otherwise).