[PLUG] snort_inline

Tim Slighter tcslighter at gmail.com
Tue Jun 20 22:55:17 UTC 2006 

Straight out of the snort manual:


3.7.3 resp

The resp keyword is used attempt to close sessions when an alert is
triggered. In Snort, this is called flexible response.

Flexible Response supports the following mechanisms for attempting to
close sessions:

Option	Description	
rst_snd	Send TCP-RST packets to the sending socket	
rst_rcv	Send TCP-RST packets to the receiving socket	
rst_all	Send TCP_RST packets in both directions	
icmp_net	Send a ICMP_NET_UNREACH to the sender	
icmp_host	Send a ICMP_HOST_UNREACH to the sender	
icmp_port	Send a ICMP_PORT_UNREACH to the sender	
icmp_all	Send all above ICMP packets to the sender	

These options can be combined to send multiple responses to the target host.

3.7.3.1 Format


resp: <resp_mechanism>[,<resp_mechanism>[,<resp_mechanism>]];

3.7.3.2 Warnings

This functionality is not built in by default. Use the -
-enable-flexresp flag to configure when building Snort to enable this
functionality.

Be very careful when using Flexible Response. It is quite easy to get
Snort into an infinite loop by defining a rule such as:


alert tcp any any -> any any (resp:rst_all;)

It is easy to be fooled into interfering with normal network traffic as well.

3.7.3.3 Example

The following example attempts to reset any TCP connection to port 1524.

alert tcp any any -> any 1524 (flags:S; resp:rst_all;)

3.7.4 react

This keyword implements an ability for users to react to traffic that
matches a Snort rule. The basic reaction is blocking interesting sites
users want to access: New York Times, slashdot, or something really
important - napster and porn sites. The React code allows Snort to
actively close offending connections and/or send a visible notice to
the browser. The notice may include your own comment. The following
arguments (basic modifiers) are valid for this option:

block - close connection and send the visible notice
warn - send the visible, warning notice (will be available soon)
The basic argument may be combined with the following arguments
(additional modifiers):

msg - include the msg option text into the blocking visible notice
proxy: port_nr - use the proxy port to send the visible notice (will
be available soon)
Multiple additional arguments are separated by a comma. The react
keyword should be placed as the last one in the option list.

3.7.4.1 Format


react: <react_basic_modifier[, react_additional_modifier]>;
	
Figure 3.22: React Usage Example

3.7.4.2 Warnings

React functionality is not built in by default. This code is currently
bundled under Flexible Response, so enabling Flexible Response
(-enable-flexresp) will also enable React.

Be very careful when using react. Causing a network traffic generation
loop is very easy to do with this functionality.


On 6/20/06, Carla Schroder <carla at bratgrrl.com> wrote:
> OK, that helps, I didn't know that react and resp were Snort keywords. Until
> now I've relied on Oinkmaster to download new rules and not tinkered much
> with the guts. Woohoo, progress!
>
> On Tuesday 20 June 2006 12:21 pm, Tim Slighter wrote:
> > You are right, I got most of my information using the snort manual for
> > how to configure and change the rules.  It is pretty straightforward.
> > You will need to have a specific version of libnids from packetfactory
> > and when you attempt to build using
> >
> > ./configure --enable-flexresp
> >
> > it will tell you exactly what version you need and where to get it.
> >
> > the rules come down to react and resp depending upon which side of the
> > connection you want to drop.  Sorry I cannot be of much more help in
> > terms of documentation.  If want an already configured version that
> > runs from a bootable cd, check out network security toolkit at -
> > http://www.networksecuritytoolkit.org.
> >
> >
> > On 6/20/06, Carla Schroder <carla at bratgrrl.com> wrote:
> > > There are all kinds of docs for snort-inline, it's --enable-flexresp
> that's
> > > I'm having trouble with. Though searching on 'flexresp' gets some hits.
> > >
> > > On Tuesday 20 June 2006 11:33 am, Tim Slighter wrote:
> > > > which one?  snort-inline or flex-response?
> > > >
> > > >
> > > > On 6/20/06, Carla Schroder <carla at bratgrrl.com> wrote:
> > > > >
> > > > > Can you point me to a reference? I'm looking all over and not finding
> much
> > > > > information. Thanks!
> > > > >
> > > > > On Monday 19 June 2006 10:47 pm, Tim Slighter wrote:
> > > > > > Have used it many times but configuring and building
> > > snort --enable-flexresp
> > > > > > is a lot easier
> > > > > >
> > > > > > On 6/19/06, Carla Schroder <carla at bratgrrl.com> wrote:
> > > > > > >
> > > > > > > Is anyone running snort_inline? It looks interesting, but it's a
> lot
> > > of
> > > > > > > work
> > > > > > > to set up, so I'd like to hear from any brave souls that have
> already
> > > > > > > given
> > > > > > > it a go.
> > > > > > >
> > > > >
> > > > > --
> > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > > Carla Schroder
> > > > > check out my "Linux Cookbook", the ultimate Linux user's
> > > > > and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
> > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > > _______________________________________________
> > > > > PLUG mailing list
> > > > > PLUG at lists.pdxlinux.org
> > > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > > > >
> > > > _______________________________________________
> > > > PLUG mailing list
> > > > PLUG at lists.pdxlinux.org
> > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > > >
> > > >
> > > >
> > >
> > > --
> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > Carla Schroder
> > > check out my "Linux Cookbook", the ultimate Linux user's
> > > and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at lists.pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> >
> >
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Carla Schroder
> check out my "Linux Cookbook", the ultimate Linux user's
> and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list