Problem
You want to be able to close an active connection if specific criteria are met by a rule. For example, you might want to close any Telnet session in which the string /etc/passwd is sent.
Solution
Use the resp keyword.
resp:
Discussion
resp allows you to create a flexible response to end a TCP session on the triggering of an alert. You can take your pick from the responses listed in Table 2-1.
Mechanism name |
Action |
---|---|
rst_snd |
Send TCP-RST packet to the sending socket |
rst_rcv |
Send TCP-RST packet to the receiving socket |
rst_all |
Send a TCP-RST packet to both |
icmp_net |
Send ICMP-NET-UNREACH to the sender |
icmp_host |
Send ICMP-HOST-UNREACH to the sender |
icmp_port |
Send ICMP-PORT-UNREACH to the sender |
icmp_all |
Send all the previously listed ICMP packets to the sender. |
All the actions listed in Table 2-1 can be combined by specifying them in sequence.
For example, to drop all connections from a certain host :
alert tcp 192.168.0.8 any -> any any (resp:rst_all;)
As you can combine the mechanisms, the following would have exactly the same effect:
Alert tcp 192.168.0.8 any -> any any (resp:rst_snd,rst_rcv;)
See Also
Snort Users Manual
Rules and Signatures |
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance
Index