Those of you running Snort_inline in bridge-mode are stuck with dropping bad
traffic, while we, the cool NAT-dudes, can use resets as well. William
decided that this needed to be changed, so we've written a patch for this.
The attached patch will add layer2 resets to Snort_inline. Before you all
start to cheer two important notes:
1. currently it only works on Linux/Iptables. It should be fairly easy to
support IPFW as well, and if someone wants to work on this, we will support
you where we can.
2. Iptables gives us only the source-macaddress of a packet. This means that
we cannot just use the destination mac from the packet as the source mac of
Implications? Two again:
A. If an attacker can see the macaddress of the reset-packet, he will notice
that it didn't came from the box he was communicating with. _And_ he will get
the mac of your (stealthy) Snort_inline box.
B. If you have a switch that has fixed ip/mac combinations, our packets will
So we added an option to the configfile where you can supply the macaddress
snort_inline should use to send resets. This will not solve issue B, but will
at least keep the macaddress of the snort_inline box secret.
Layer2 resets are off by default, and can be enabled by an option in the
tells snort_inline to use layer2 rests and uses the mac address of the bridge
as the source mac in the packet.
config layer2resets: 00:06:76:DD:5F:E3
will tell snort_inline to use layer2 resets and uses the src mac of
00:06:76:DD:5F:E3 in the reset packet.
So with those remarks in mind, please start testing the resets. The credits
for the patch go to William, as he did the bulk of the work! All hail
We will be very happy to answer your questions!