Flexible Response with Snort

Snort's flexible response plug-in allows Snort to act as a session interception IPS. It adds an option to a rule so that when the rule is triggered, an action is taken. In environments where the Snort sensor has a dedicated stealth interface, another interface should be present to send the responses. To enable flexible response, use the following command line when running configure:

# ./configure -enable-flexresp
# make
# make install

You may also need the libnet library, if it is not installed. It allows Snort to craft and inject packets onto the network. It can be found at http://www.packetfactory.net/libnet.

Once Snort is built with flexible response enabled, you can include several new options within your Snort rules. The option uses the following format:

resp:<resp_keyword>[,<resp_keyword>...]

The response keywords that you can add to the rules are:

rst_snd

Sends a RST packet to the sender of the packet that generated the alert.

rst_rcv

Sends a RST packet to the recipient of the packet that generated the alert.

rst_all

Sends a RST packet to both parties in the TCP session.

icmp_net

Sends an ICMP_NET_UNREACH message to the sender.

icmp_host

Sends an ICMP_HOST_UNREACH message to the sender.

icmp_port

Sends an ICMP_PORT_UNREACH message to the sender.

icmp_all

Sends all three ICMP responses to the sender.

For example, to reset a session when Snort detects that the remote control software NetCat is in use on port 80, use something like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat 
command attempt"; flow:to_server,established; content:"nc%20";nocase; sid:1360;
classtype:web-application-attack; rev:4; resp:rst_all)

The react Response

The react response is useful for responding to HTTP-based attacks. Among other things, it lets you send a message to the client web browser explaining that access to the offending site is forbidden. It also knows how to deal with proxies. The format of the react response directive is:

react:<react_keyword>[,<react_keyword>...]

The keywords you can use with react are:

block

Blocks access to the session when the malicious content is matched.

warn

Sends a visible warning to the client's web browser.

msg

The content of this setting is included with the warning returned to the user.

proxy

Indicates a proxy port number to send the response on, if necessary.

For example, to block access to web sites that contain the string "naughtyword" (substitute your own), use this:

alert tcp any any <> $HOME_NET 80 (content: "naughtyword"; msg: "Not for children!"; 
react: block, msg;)