Snort mailing list archives
How to use react under IPS mode correctly?
From: Hsuan-Yi Sung <newdominic () gmail com>
Date: Thu, 4 May 2017 10:02:57 +0800
Hi,
I'm running Snort 2.9.8.3 on FreeBSD 10.3-RELEASE, under inline mode with
daq-ipfw.
I've been trying to use the "react" keyword in my rules to send a fake
response page to client.
At first, I tried the rules below:
alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET"; react:msg;
sid:1002; rev:001;)
The client can't even make a successful handshake with the destination IP.
After doing some research on sp_react.c (and some googling), I guess this
must be triggered only after the connection established. So I added the
"flow" keyword:
alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
flow:established,from_client; react:msg; sid:1002; rev:001;)
By using tcpdump, I can see the connection established, also the HTTP GET
request packet.
But the forged response still not showing.
So I dig deeper, and found that in spp_stream6.c,
static void StreamDropPacket( Packet *p ) {
...
...
if (!(p->packet_flags & PKT_STATELESS))
session_api->drop_traffic(p, p->ssnptr, SSN_DIR_BOTH);
}
The drop_traffic function made all the injected packet blocked.
Finally, I switched the parameter of "flow" to "stateless":
alert tcp $HOME_NET any -> $MAL_IP 80 (msg:"BAD"; content:"GET";
flow:stateless; react:msg; sid:1002; rev:001;)
Now I can see the fake response page and connection reset packets.
Not sure if I misunderstood the code or not, is this the right way to use
"react" under inline mode?
Do I have to treat the HTTP packet stateless?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to use react under IPS mode correctly? Hsuan-Yi Sung (May 03)
- Re: How to use react under IPS mode correctly? Russ (May 05)
- Re: How to use react under IPS mode correctly? Hsuan-Yi Sung (May 07)
- Re: How to use react under IPS mode correctly? Hsuan-Yi Sung (May 11)
- Re: How to use react under IPS mode correctly? Hsuan-Yi Sung (May 07)
- Re: How to use react under IPS mode correctly? Russ (May 05)