-
Notifications
You must be signed in to change notification settings - Fork 43
/
Copy pathREADME.active
170 lines (117 loc) · 5.34 KB
/
README.active
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
Snort 2.9 includes a number of changes to better handle inline operation,
including:
* a single mechanism for all responses
* fully encoded reset or icmp unreachable packets
* updated flexible response rule option
* updated react rule option
* added block and sblock rule actions
These changes are outlined below.
ENABLING ACTIVE RESPONSE
========================
This enables active responses (snort will send TCP RST or ICMP
unreachable/port) when dropping a session.
./configure --enable-active-response
preprocessor stream5_global: \
max_active_responses <max_rsp>, \
min_response_seconds <min_sec>
<max_rsp> ::= (0..25)
<min_sec> ::= (1..300)
Active responses will be encoded based on the triggering packet. TTL will be
set to the value captured at session pickup.
CONFIGURE SNIPING
=================
Configure the number of attempts to land a TCP RST within the session's current
window (so that it is accepted by the receiving TCP). This sequence "strafing"
is really only useful in passive mode. In inline mode the reset is put
straight into the stream in lieu of the triggering packet so strafing is not
necessary.
Each attempt (sent in rapid succession) has a different sequence number. Each
active response will actually cause this number of TCP resets to be sent. TCP
data (sent for react) is multiplied similarly. At most 1 ICMP unreachable is
sent, iff attempts > 0.
./configure --enable-active-response
config response: [device <dev>] [dst_mac <MAC address>] attempts <att>
<dev> ::= ip | eth0 | etc.
<att> ::= (1..20)
<MAC address> ::= nn:nn:nn:nn:nn:nn
(n is a hex number from 0-F)
device ip will perform network layer injection. It is probably a better choice
to specify an interface and avoid kernel routing tables, etc.
dst_mac will change response destination MAC address, if the device is eth0, eth1, eth2 etc.
Otherwise, response destination MAC address is derived from packet.
Example:
config response: device eth0 dst_mac 00:06:76:DD:5F:E3 attempts 2
FLEXRESP CHANGES
================
Flexresp and flexresp2 are replaced with flexresp3.
* Flexresp is deleted; these features are no longer available:
./configure --enable-flexresp
config flexresp: attempts 1
* Flexresp2 is deleted; these features are no longer available:
./configure --enable-flexresp2
config flexresp2_interface: eth0
config flexresp2_attempts: 4
config flexresp2_memcap: 1000000
config flexresp2_rows: 1000
* Flexresp3 is new: the resp rule option keyword is used to configure active
responses for rules that fire.
./configure --enable-flexresp3
alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)
* resp_t includes all flexresp and flexresp2 options:
<resp_t> ::= \
rst_snd | rst_rcv | rst_all | \
reset_source | reset_dest | reset_both | icmp_net | \
icmp_host | icmp_port | icmp_all
REACT CHANGES
=============
react is a rule option keyword that enables sending an HTML page on a session
and then resetting it. This is built with:
./configure --enable-react
The page to be sent can be read from a file:
config react: <block.html>
or else the default is used:
<default_page> ::= \
"HTTP/1.1 403 Forbidden\r\n"
"Connection: close\r\n"
"Content-Type: text/html; charset=utf-8\r\n"
"\r\n"
"<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" \
" \"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\r\n" \
"<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\">\r\n" \
"<head>\r\n" \
"<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n" \
"<title>Access Denied</title>\r\n" \
"</head>\r\n" \
"<body>\r\n" \
"<h1>Access Denied</h1>\r\n" \
"<p>%s</p>\r\n" \
"</body>\r\n" \
"</html>\r\n";
Note that the file must contain the entire response, including any HTTP headers.
In fact, the response isn't strictly limited to HTTP. You could craft a binary
payload of arbitrary content.
When the rule is configured, the page is loaded and the %s is replaced with the
selected message, which defaults to:
<default_msg> ::= \
"You are attempting to access a forbidden site.<br />" \
"Consult your system administrator for details.";
Additional formatting operators beyond a single %s are prohibited, including
%d, %x, %s, as well as any URL encodings such as as %20 (space) that may be
within a reference URL.
This is an example rule:
drop tcp any any -> any $HTTP_PORTS ( \
content: "d"; msg:"Unauthorized Access Prohibited!"; \
react: <react_opts>; sid:4;)
<react_opts> ::= [msg] [, <dep_opts>]
These options are deprecated:
<dep_opts> ::= [block|warn], [proxy <port#>]
The original version sent the web page to one end of the session only if the
other end of the session was port 80 or the optional proxy port. The new
version always sends the page to the client. If no page should be sent, a resp
option can be used instead. The deprecated options are ignored.
RULE ACTION CHANGES
===================
The block and sblock actions have been introduced as synonyms for drop and
sdrop to help avoid confusion between packets dropped due to load (e.g. lack of
available buffers for incoming packets) and packets dropped due to Snort's
analysis.