2.11 Active Response

Snort 2.9 includes a number of changes to better handle inline operation, including:

These changes are outlined below.

2.11.1 Enabling Active Response

This enables active responses (snort will send TCP RST or ICMP unreachable/port) when dropping a session.

    ./configure --enable-active-response / -DACTIVE_RESPONSE

    preprocessor stream5_global: \
        max_active_responses <max_rsp>, \
        min_response_seconds <min_sec> 

    <max_rsp> ::= (0..25)
    <min_sec> ::= (1..300)

Active responses will be encoded based on the triggering packet. TTL will be set to the value captured at session pickup.

2.11.2 Configure Sniping

Configure the number of attempts to land a TCP RST within the session's current window (so that it is accepted by the receiving TCP). This sequence "strafing" is really only useful in passive mode. In inline mode the reset is put straight into the stream in lieu of the triggering packet so strafing is not necessary.

Each attempt (sent in rapid succession) has a different sequence number. Each active response will actually cause this number of TCP resets to be sent. TCP data (sent for react) is multiplied similarly. At most 1 ICMP unreachable is sent, if and only if attempts 3#3 0.

    ./configure --enable-active-response

    config response: [device <dev>] [dst_mac <MAC address>] attempts <att>

    <dev> ::= ip | eth0 | etc.
    <att> ::= (1..20)
    <MAC address> ::= nn:nn:nn:nn:nn:nn    
     (n is a hex number from 0-F)

device ip will perform network layer injection. It is probably a better choice to specify an interface and avoid kernel routing tables, etc.

dst_mac will change response destination MAC address, if the device is eth0, eth1, eth2 etc. Otherwise, response destination MAC address is derived from packet. Example:

    config response: device eth0 dst_mac 00:06:76:DD:5F:E3 attempts 2

2.11.3 Flexresp

Flexresp and flexresp2 are replaced with flexresp3.

* Flexresp is deleted; these features are no longer available:

    ./configure --enable-flexresp / -DENABLE_RESPOND -DENABLE_RESPONSE
    config flexresp: attempts 1

* Flexresp2 is deleted; these features are deprecated, non-functional, and will be deleted in a future release:

    ./configure --enable-flexresp2 / -DENABLE_RESPOND -DENABLE_RESPONSE2

    config flexresp2_interface: eth0
    config flexresp2_attempts: 4
    config flexresp2_memcap: 1000000
    config flexresp2_rows: 1000

* Flexresp3 is new: the resp rule option keyword is used to configure active responses for rules that fire.

    ./configure --enable-flexresp3 / -DENABLE_RESPOND -DENABLE_RESPONSE3

    alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)

* resp_t includes all flexresp and flexresp2 options:

    <resp_t> ::= \
        rst_snd | rst_rcv | rst_all | \
        reset_source | reset_dest | reset_both | icmp_net | \
        icmp_host | icmp_port | icmp_all

2.11.4 React

react is a rule option keyword that enables sending an HTML page on a session and then resetting it. This is built with:

    ./configure --enable-react / -DENABLE_REACT

The page to be sent can be read from a file:

    config react: <block.html>

or else the default is used:

    <default_page> ::= \
        "HTTP/1.1 403 Forbidden\r\n"
        "Connection: close\r\n"
        "Content-Type: text/html; charset=utf-8\r\n"
        "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\"\r\n" \
        "    \"\">\r\n" \
        "<html xmlns=\"\" xml:lang=\"en\">\r\n" \
        "<head>\r\n" \
        "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\r\n" \
        "<title>Access Denied</title>\r\n" \
        "</head>\r\n" \
        "<body>\r\n" \
        "<h1>Access Denied</h1>\r\n" \
        "<p>%s</p>\r\n" \
        "</body>\r\n" \

Note that the file must contain the entire response, including any HTTP headers. In fact, the response isn't strictly limited to HTTP. You could craft a binary payload of arbitrary content.

Be aware of size when creating such responses. While it may be possible to respond with arbitrarily large responses, responses for TCP sessions will need to take into account that the receiver's window may only accept up to a certain amount of data. Sending past this limit will result in truncated data. In general, the smaller the response, the more likely it will be successful.

When the rule is configured, the page is loaded and the selected message, which defaults to:

    <default_msg> ::= \
        "You are attempting to access a forbidden site.<br />" \
        "Consult your system administrator for details.";

Additional formatting operators beyond a single within a reference URL.

This is an example rule:

    drop tcp any any -> any $HTTP_PORTS ( \
        content: "d"; msg:"Unauthorized Access Prohibited!"; \
        react: <react_opts>; sid:4;)

    <react_opts> ::= [msg] [, <dep_opts>]

These options are deprecated:

    <dep_opts> ::= [block|warn], [proxy <port#>]

The original version sent the web page to one end of the session only if the other end of the session was port 80 or the optional proxy port. The new version always sends the page to the client. If no page should be sent, a resp option can be used instead. The deprecated options are ignored.

2.11.5 Rule Actions

The block and sblock actions have been introduced as synonyms for drop and sdrop to help avoid confusion between packets dropped due to load (e.g. lack of available buffers for incoming packets) and packets blocked due to Snort's analysis.