Re: snort does not send active response in passive mode

[Anton <warm () stack ru>]

Ohh ... No :-)

I have just found my lost packets. Snort sends this packets but they are tagged and src_mac is taken from session.
Documentation says that Snort should produce in active response packets the same like it sees them -- my mirror has
tagged traffic and snort produces tagged packets in active responce. That is why I did not see packets in tcpdump - 
it was necessary to set a 'vlan and ...' in the tcpdump filter.

I would like to generate RST packets and _route_ them to the network. So I need:

 - to remove tag 802.1q. This can be done by removing tags in the mirror -- this is bad for our monitoring system. Is
   any other way to generate un-tagged responses ?

 - to send frames with src_mac other then received in mirror. This is bad idea to send frames to L3 switch with spoofed
   src_mac. Now I get src_mac = L3_switch_MAC. At this time this frames does not get into network due tags but when
   tags will be removed I will get another problem with mac-address table :-). Is any way to solve this potential
   problem with the same mac-address in two different places in switched network ?

... the first thing that comes to mind is to set up software bridge with the same tags and route active responses
through this bridge. But this is ugly solution :-).


On Fri, 20 Sep 2013 12:02:22 +0700
Anton <warm () stack ru> wrote:

> Hmm ... 
>
> "--daq dump" with commented out string "config response ..." produces inline-out.pcap with [RST,ACK]. I tried to write
> dump with out running snort and did my test - there was no any RST in this case -- snort works and wants to produce
> RST packet but RST for some reason does not leave snort host.
>
> What can be wrong with "config response: device eth4 dst_mac 00:1a:30:62:7c:40" ?
>
> May be there are some non-obvious requirements to the system running snort for active response to work ?
>
> I mean kernel version or network card or some thing else. I use Linux kernel 2.6.16.16 -- yes, this is very old
> machine and I can not upgrade it without significant reason. Can the old kernel be the reason why active response
> does not send packets ?
>
> And also ethernet driver is old too:
>
> # ethtool -i eth4
> driver: e1000
> version: 6.3.9-k4-NAPI
> firmware-version: N/A
> bus-info: 0000:05:03.0
>
> ... all the software on this machine is old :-). I only compile new versions of needful software like snort, tcpdump,
> nmap.
>
> What is the most likely cause of active response does not sends packets ?
>
>
>
> On Fri, 20 Sep 2013 01:25:05 +0700
> Russ Combs <rcombs () sourcefire com> wrote:
>
> > You can start by using the dump DAQ to see that you are alerting and generating responses.  Comment out the "config
> > response" line and add "--daq dump" to your Snort command line.  Then do your test and check that the resulting
> > inline-out.pcap has your response(s) as expected.
> >
> > If that is working, it is a matter of getting your config response to work correctly.
> >
> > Hope that helps.
> > Russ
> >
> >
> > On Thu, Sep 19, 2013 at 4:07 AM, Anton <warm () stack ru> wrote:
> > Good day.
> >
> > I'm trying to set up snort with active response in passive mode. Here is my setup:
> >
> >
> > [switch port with mirrored 802.1q traffic]===[eth0 used for monitoring only]-[PC with snort]-[eth4 used for
> > management and has network access]===[network]
> >
> > So, I have compiled snort-2.9.5.5 with
> >
> > ./configure \
> >   --prefix=/usr \
> >   --sysconfdir=/etc \
> >   --mandir=/usr/man \
> >   --localstatedir=/var \
> >   --enable-pthread \
> >   --enable-linux-smp-stats \
> >   --enable-zlib \
> >   --enable-active-response --enable-react --enable-flexresp3
> >
> >
> > I've read instructions from README.active
> >
> > preprocessor stream5_global: \
> >    track_tcp yes, \
> >    track_udp no, \
> >    track_icmp no, \
> >    max_tcp 262144, \
> >    max_udp 131072, \
> >    max_active_responses 4, \
> >    min_response_seconds 2
> >
> > ...
> > # this was not required but I select only 80 port for better performance.
> > preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
> >    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
> >     ports server \
> >         80 \
> >         , \
> >     ports both 80 3128 \
> >         8080
> > ...
> >
> > config response: device eth4 dst_mac 00:1a:30:62:7c:40 attempts 2 # this is MAC of the default gateway
> >
> >
> > I have test rule:
> >
> > drop tcp any any -> any 80 (msg:"TEST0";\
> >         content:"TEST0";\
> >         resp:reset_source;\
> >         sid:1;)
> >
> > I start snort like this:
> >
> > snort   -q \
> >         --daq-var buffer_size_mb=128MB \
> >         --treat-drop-as-alert \
> >         -n 10000000 \
> >         -i eth0 \
> >         -l /var/log/snort \
> >         -K none \
> >         -c /etc/snort/snort.conf \
> >         -A console \
> >         -F 'bpf-file'
> >
> > bpf-file contains filter for test machine only. It looks like "vlan and host X.X.X.65". vlan because it selects
> > 802.1q frames.
> >
> > I start snort then I do "telnet somehost 80"  and print TEST0. Somehost prints HTML page:
> >
> > <html>
> > <head><title>400 Bad Request</title></head>
> > <body bgcolor="white">
> > <center><h1>400 Bad Request</h1></center>
> > <hr><center>nginx</center>
> > </body>
> > </html>
> >
> > and closes connection. Snort does not send anything but it writes alert messages to the console - snort can see
> > traffic described in rule. I tried to start "tcpdump -ni eth4 'host X.X.X.65'" on snort machine - it does not send
> > anything to X.X.X.65 at all.
> >
> > Active response can be workable or can be unworkable but snort should send some reset packets to X.X.X.65 but is
> > does not.
> >
> > How to find out the reason on which snort does not send rst (or other) packets ? If snort in passive mode should not
> > send any active response - why ? Documentation says that it should send rst in passive mode.
> >
> > "Configure the number of attempts to land a TCP RST within the session's current window (so that it is accepted by
> > the receiving TCP). This sequence "strafing" is really only useful in passive mode." - from documentation
> > (http://manual.snort.org/node26.html).
> >
> > ------------------------------------------------------------------------------
> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > 1,500&#43; hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> -- 
> Anton [WARM-RIPE]
> MT NOC division head
> tel. 8 (3822) 555-797
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


-- 
Anton [WARM-RIPE]
MT NOC division head
tel. 8 (3822) 555-797

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!