RE: flexresp question/help

["Ronneil Camara" <ronneilc () remingtonltd com>]

-> -----Original Message-----
-> From: Phil Wood [mailto:cpw () lanl gov]
-> Sent: Tuesday, December 18, 2001 10:48 PM
-> To: Ronneil Camara
-> Cc: snort-users () lists sourceforge net
-> Subject: Re: [Snort-users] flexresp question/help
-> 
-> 
-> "It" will work only if your sensor has a real live IP route 
-> to the hosts

I actually have 2 interfaces, 1 for on the internal for management,
and the other 1 which doesn't have an IP address for sensing.

Actually, that box does know how to reach anyone on the internet.
I know it's a bad idea to have this kind setup. 


-> in question.  If I remember it right, you picked the option 
-> to send a RST
-> in both directions, one to the cracker and one to the 
-> server.  So, you

I'm just curious if my box will be able to send a RST back to the
attacker since the attack was captured on the stealth interface.
Can we tell snort to send the RST using a specific interface?

-> might want to do a traceroute first to your test cracker and 
-> your test
-> server from your sensor and see if the routing from your 
-> sensor works.
-> Then, you should be able to say "it" should work.  I don't 
-> believe your
-> packets would be able to route out your "stealth" port.  

Yup, I believe you, coz there is no ip address on it.

-> But, you should
-> be able to see the ones directed to the external net.  

Yup, I am seeing a lot of attack specifically WEB-IIS attacks,
Code Red II, Unicode and so on. 

-> Again, this all
-> depends on where the sensor is in the scheme of things.

Again, 1 interface goes to the DMZ without IP address (tl0)
And the other interface, xl0, goes to the LAN, and with an ip address.

-> 
-> Please take the time to draw a picture of the available 
-> routes, including
-> any acls that might limit your success.  For example, do you have two
-> or more interfaces on your sensor which would affect how 
-> your response
-> will travel to its destination.

 
  internet
     |
     |
     |
   +---+
   |CP |  DMZ (server farm)
   |fw |------------------+-----
   |   |   |    |         |
   |   |  IIS5 IIS5       | tl0 (no ip address)
   +---+   A    B       +---+
     |                  |   |
     |<---------------> +---+
     |                 -------
    LAN                snort@
                   192.168.0.1, xl0

-> 
-> Another point is to remember that many of these probes may 
-> well result in
-> a FIN condition, so that the RST is superfluous.

I didn't get what you meant on the above sentence.
I have to read more about tcp/ip. :-)

-> 
-> I have not gone to the trouble to use this feature at this time.  One
-> of the difficulties I would have to overcome is that 
-> currently, my sensor
-> has two interfaces, one to a protected net which does not 
-> allow spoofing,
-> the other one that does not allow transmit.  So, you see 
-> trying to send
-> a RST to either one of the members of this senario would fail.
-> 
-> Sorry, to bring up more questions and not be able to 
-> definitely answer
-> your question.

That's ok. With those kind of questions, it will not just help me
but also others monitoring our thread. :-)

Thanks.

Neil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users