Previous Section  < Day Day Up >  Next Section

8.3 Flexible Response with Snort

Snort's flexible response plug-in allows Snort to act as a session interception IPS. It adds an option to a rule so that when the rule is triggered, an action is taken. In environments where the Snort sensor has a dedicated stealth interface, another interface should be present to send the responses. To enable flexible response, use the following command line when running configure:

# ./configure -enable-flexresp

# make

# make install

You may also need the libnet library, if it is not installed. It allows Snort to craft and inject packets onto the network. It can be found at

Once Snort is built with flexible response enabled, you can include several new options within your Snort rules. The option uses the following format:


The response keywords that you can add to the rules are:


Sends a RST packet to the sender of the packet that generated the alert.


Sends a RST packet to the recipient of the packet that generated the alert.


Sends a RST packet to both parties in the TCP session.


Sends an ICMP_NET_UNREACH message to the sender.


Sends an ICMP_HOST_UNREACH message to the sender.


Sends an ICMP_PORT_UNREACH message to the sender.


Sends all three ICMP responses to the sender.

For example, to reset a session when Snort detects that the remote control software NetCat is in use on port 80, use something like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat 

command attempt"; flow:to_server,established; content:"nc%20";nocase; sid:1360;

classtype:web-application-attack; rev:4; resp:rst_all)

8.3.1 The react Response

The react response is useful for responding to HTTP-based attacks. Among other things, it lets you send a message to the client web browser explaining that access to the offending site is forbidden. It also knows how to deal with proxies. The format of the react response directive is:


The keywords you can use with react are:


Blocks access to the session when the malicious content is matched.


Sends a visible warning to the client's web browser.


The content of this setting is included with the warning returned to the user.


Indicates a proxy port number to send the response on, if necessary.

For example, to block access to web sites that contain the string "naughtyword" (substitute your own), use this:

alert tcp any any <> $HOME_NET 80 (content: "naughtyword"; msg: "Not for children!"; 

react: block, msg;)

    Previous Section  < Day Day Up >  Next Section