[Snort-inline-users] [ANNOUNCE/PATCH] layer2 resets a.k.a. Reject in Bridge-mode

[Victor J. <vi...@nk...>]

Hi List,

Those of you running Snort_inline in bridge-mode are stuck with dropping bad 
traffic, while we, the cool NAT-dudes, can use resets as well. William 
decided that this needed to be changed, so we've written a patch for this.

The attached patch will add layer2 resets to Snort_inline. Before you all 
start to cheer two important notes:

1. currently it only works on Linux/Iptables. It should be fairly easy to 
support IPFW as well, and if someone wants to work on this, we will support 
you where we can.

2. Iptables gives us only the source-macaddress of a packet. This means that 
we cannot just use the destination mac from the packet as the source mac of 
the reset-packet. 
Implications? Two again:

A. If an attacker can see the macaddress of the reset-packet, he will notice             
that it didn't came from the box he was communicating with. _And_ he will get  
the mac of your (stealthy) Snort_inline box.

B. If you have a switch that has fixed ip/mac combinations, our packets will 
be dropped.

So we added an option to the configfile where you can supply the macaddress 
snort_inline should use to send resets. This will not solve issue B, but will 
at least keep the macaddress of the snort_inline box secret.

Layer2 resets are off by default, and can be enabled by an option in the 
configfile:

config layer2resets

tells snort_inline to use layer2 rests and uses the mac address of the bridge 
as the source mac in the packet.

config layer2resets: 00:06:76:DD:5F:E3

will tell snort_inline to use layer2 resets and uses the src mac of 
00:06:76:DD:5F:E3 in the reset packet.

So with those remarks in mind, please start testing the resets. The credits 
for the patch go to William, as he did the bulk of the work! All hail 
William! :-)

We will be very happy to answer your questions!

Regards,
Victor