Menu
▾
▴
#4 layer2 resets a.k.a. Reject in Bridge-mode
Those of you running Snort_inline in bridge-mode are stuck with
dropping bad traffic, while we, the cool NAT-dudes, can use
resets as well. William decided that this needed to be changed,
so we've written a patch for this.
The attached patch will add layer2 resets to Snort_inline. Before
you all start to cheer two important notes:
1. currently it only works on Linux/Iptables. It should be fairly
easy to support IPFW as well, and if someone wants to work on
this, we will support you where we can.
2. Iptables gives us only the source-macaddress of a packet.
This means that we cannot just use the destination mac from the
packet as the source mac of the reset-packet.
Implications? Two again:
A. If an attacker can see the macaddress of the reset-packet, he
will notice that it didn't came from the box he was communicating
with. _And_ he will get the mac of your (stealthy) Snort_inline
box.
B. If you have a switch that has fixed ip/mac combinations, our
packets will be dropped.
So we added an option to the configfile where you can supply the
macaddress snort_inline should use to send resets. This will not
solve issue B, but will at least keep the macaddress of the
snort_inline box secret.
Layer2 resets are off by default, and can be enabled by an
option in the configfile:
config layer2resets
tells snort_inline to use layer2 rests and uses the mac address of
the bridge as the source mac in the packet.
config layer2resets: 00:06:76:DD:5F:E3
will tell snort_inline to use layer2 resets and uses the src mac of
00:06:76:DD:5F:E3 in the reset packet.
So with those remarks in mind, please start testing the resets.
The credits for the patch go to William, as he did the bulk of the
work! All hail William! :-)
We will be very happy to answer your questions!
Regards,
Victor
the patch