2.11 Active Response

Snort 2.9 includes a number of changes to better handle inline operation, including:

These changes are outlined below.

2.11.1 Enabling Active Response

This enables active responses (snort will send TCP RST or ICMP unreachable/port) when dropping a session.

verbatim560#

Active responses will be encoded based on the triggering packet. TTL will be set to the value captured at session pickup.

2.11.2 Configure Sniping

Configure the number of attempts to land a TCP RST within the session's current window (so that it is accepted by the receiving TCP). This sequence ;SPMquot;strafing;SPMquot; is really only useful in passive mode. In inline mode the reset is put straight into the stream in lieu of the triggering packet so strafing is not necessary.

Each attempt (sent in rapid succession) has a different sequence number. Each active response will actually cause this number of TCP resets to be sent. TCP data (sent for react) is multiplied similarly. At most 1 ICMP unreachable is sent, if and only if attempts #tex2html_wrap_inline6987# 0.

verbatim561#

device ip will perform network layer injection. It is probably a better choice to specify an interface and avoid kernel routing tables, etc.

dst_mac will change response destination MAC address, if the device is eth0, eth1, eth2 etc. Otherwise, response destination MAC address is derived from packet. Example:

verbatim562#


2.11.3 Flexresp

Flexresp and flexresp2 are replaced with flexresp3.

* Flexresp is deleted; these features are no longer available:

verbatim563#

* Flexresp2 is deleted; these features are deprecated, non-functional, and will be deleted in a future release:

verbatim564#

* Flexresp3 is new: the resp rule option keyword is used to configure active responses for rules that fire.

verbatim565#

* resp_t includes all flexresp and flexresp2 options:

verbatim566#


2.11.4 React

react is a rule option keyword that enables sending an HTML page on a session and then resetting it. This is built with:

verbatim567#

The page to be sent can be read from a file:

verbatim568#

or else the default is used:

verbatim569#

Note that the file must contain the entire response, including any HTTP headers. In fact, the response isn't strictly limited to HTTP. You could craft a binary payload of arbitrary content.

Be aware of size when creating such responses. While it may be possible to respond with arbitrarily large responses, responses for TCP sessions will need to take into account that the receiver's window may only accept up to a certain amount of data. Sending past this limit will result in truncated data. In general, the smaller the response, the more likely it will be successful.

When the rule is configured, the page is loaded and the 102 selected message, which defaults to:

verbatim570#

Additional formatting operators beyond a single 103 within a reference URL.

This is an example rule:

verbatim571#

These options are deprecated:

verbatim572#

The original version sent the web page to one end of the session only if the other end of the session was port 80 or the optional proxy port. The new version always sends the page to the client. If no page should be sent, a resp option can be used instead. The deprecated options are ignored.

2.11.5 Rule Actions

The block and sblock actions have been introduced as synonyms for drop and sdrop to help avoid confusion between packets dropped due to load (e.g. lack of available buffers for incoming packets) and packets blocked due to Snort's analysis.