Snort mailing list archives
Re: More explanation needed in Snort User Manual for "resp:"?
From: "Kristofer T. Karas" <ktk () enterprise bidmc harvard edu>
Date: Thu, 06 Nov 2003 16:58:59 -0500
Jason Haar wrote:
I've looked at flexresp2, and it allows you to explicitly configure which interface RESET packets are set through - which is almost there. But this still seems like a bug to me, as I can't think of a reason why you would ever want the packet to leave through anything other than the interface it was seen on!
Because most interfaces used to receive promiscuously-captured packets are set up for passive monitoring: they often span multiple VLANs or trunks; injecting packets along the same path would result in a one-to-many problem on the receiving end. For this very reason, most network admins I've talked with literally cut the transmit pair on the network cable to prevent this. For those using a Cisco setup, spanning VLANs to a monitor port makes that port transmit-only. For those that consolidate multiple monitor ports into a single feed to Snort (by way of using a dedicated switch) will have an exacerbated problem when trying to send data back along the consolidated feed.
For these reasons (and the TAP mentioned) I am very grateful that Snort sends flexresp[2] packets via the OS's routing table. After all, you can always add a route to send them out the promiscuous interface if that's what strikes your fancy.
To deal with the NAT issues, just place your promiscuous feed inbound from your NAT box, e.g. in your DMZ. Snort will only see your inside IP addresses, which is, after all, what you really want anyway; there's no point in reporting issues with a shared IP address, as you can't (in general) track that back to a specific post-NAT machine.
Kris ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More explanation needed in Snort User Manual for "resp:"? Jason Haar (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Chris Green (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Jason Haar (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Kristofer T. Karas (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Jason Haar (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Jeff Nathan (Nov 20)
- Re: More explanation needed in Snort User Manual for "resp:"? Matt Kettler (Nov 06)
- Re: More explanation needed in Snort User Manual for "resp:"? Chris Green (Nov 06)