Snort can perform session sniping through its flexible response plugin, which adds the response and react keywords to rule creation. When a rule is triggered, the appropriate action is taken based on the keywords. If you are using Snort in stealth mode you will need an additional interface to send the responses. Also, make sure that the libnet library ( http://libnet.sourceforge.net) is installed since it is used to create and send packets on the network.

To configure Snort with the flexible response plugin, use the ./configure enable-flexresp option. Next, add the new response and react keywords to the rules you want to have take action when triggered. The response keyword uses the following format:

resp: [,[,] ];<a name="599"></a><a name="IDX-308"></a>

where resp_mechanism can be one or more of the following:

• rst_snd Sends a TCP RST packet to the sender of the packet

• rst_rcv Sends a TCP RST packet to the receiver of the packet

• rst_all Sends a TCP RST packet to both the sender and receiver

• icmp_net Sends an ICMP_NET_UNREACH message to the sender

• icmp_host Sends an ICMP_HOST_UNREACH message to the sender

• icmp_port Sends an ICMP_PORT_UNREACH message to the sender

• icmp_all Sends all three Internet Control Message Protocol (ICMP) messages to the sender

The following example attempts to block Telnet by resetting any TCP connection to port 23:

alert tcp any any -> any 23 (msg:"Attempted Telnet"; flags:S; resp:rst_all;)

The...