From: Victor J. <vi...@nk...> - 2004-09-02 13:59:37
|
Hi List, Those of you running Snort_inline in bridge-mode are stuck with dropping bad traffic, while we, the cool NAT-dudes, can use resets as well. William decided that this needed to be changed, so we've written a patch for this. The attached patch will add layer2 resets to Snort_inline. Before you all start to cheer two important notes: 1. currently it only works on Linux/Iptables. It should be fairly easy to support IPFW as well, and if someone wants to work on this, we will support you where we can. 2. Iptables gives us only the source-macaddress of a packet. This means that we cannot just use the destination mac from the packet as the source mac of the reset-packet. Implications? Two again: A. If an attacker can see the macaddress of the reset-packet, he will notice that it didn't came from the box he was communicating with. _And_ he will get the mac of your (stealthy) Snort_inline box. B. If you have a switch that has fixed ip/mac combinations, our packets will be dropped. So we added an option to the configfile where you can supply the macaddress snort_inline should use to send resets. This will not solve issue B, but will at least keep the macaddress of the snort_inline box secret. Layer2 resets are off by default, and can be enabled by an option in the configfile: config layer2resets tells snort_inline to use layer2 rests and uses the mac address of the bridge as the source mac in the packet. config layer2resets: 00:06:76:DD:5F:E3 will tell snort_inline to use layer2 resets and uses the src mac of 00:06:76:DD:5F:E3 in the reset packet. So with those remarks in mind, please start testing the resets. The credits for the patch go to William, as he did the bulk of the work! All hail William! :-) We will be very happy to answer your questions! Regards, Victor |