Snort mailing list archives
Active response not working in 2.9.0.4 ?
From: "Tudor Panaitescu" <TPanaitescu () colorcon com>
Date: Fri, 18 Mar 2011 16:15:27 -0500
Hi Anyone w/ any suggestions here ? Thanks, TP __________________ Hi I just compiled and installed 2.9.0.4 on RHEL5 and 6 boxes (of course I have daq, libpcap1, libnet and libdnet on the systems) and I've noticed that rules configured w/ resp:reset_both,icmp_all don't seem to be resetting connections as supposed to. Snort was compiled w/: --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3. Also in the config file, snort.conf, I have: .... config response: device <interface> attempts 5 ..... preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no, max_active_responses 5, min_response_seconds 1 Even the log file upon starting up snort says: ...... Send up to 5 active responses Wait at least 1 seconds between responses .......... I even put a sniffer on the interface and I didn't see any icmp sent to the source of the packets that triggered the rule w/ resp Anyone can help w/ this ? Thanks in advance Tudor ---------------------- Colorcon - Your Formulation Partner Visit us at http://www.colorcon.com Colorcon is committed to energy conservation and to the reduction of waste. Please consider the environment before you print this e-mail. "This e-mail may contain information that is confidential or privileged. If you are not the intended recipient, do not use, print or distribute this e-mail or any attachments. Please notify the sender and delete the e-mail and any attachments. Thank you."
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 17)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- unsubscribe jeff jennings (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- <Possible follow-ups>
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 18)