Re: Active response not working in 2.9.0.4 ?

[Jim Hranicky <jfh () ufl edu>]

On Sat, 19 Mar 2011 08:14:37 -0500
"Tudor Panaitescu" <TPanaitescu () colorcon com> wrote:

> Hi Jim
>
> Thanks for you reply and for the patch. Is your sensor inline or passive ?
> I have applied the patch and the active response still doesn't work, not
> sure what I am missing here, is it a config issue, rule issue ?

Mine is configured passive. 

Did you put the next hop router's ethernet address in the config? 

> I have sniffed on the same interface and I didn't see any ICMP being sent,
> I saw TCP resets but still the connection didn't seem to have dropped,
> still saw a push from the sensor to attacker right after the resets were
> sent.

Where were you sniffing? If you're sniffing on the reset interface make 
sure your TTLs are > 0. If you can, sniff on the target box on your network
to make sure the resets are getting there. 

FWIW, I'm doing reset:both . 

Once you get it working it's pretty satisfying:

  curl -s -S -k -H 'Host: <bad host>' -H 'Connection: Keep-Alive' http://<bad-url>
  curl: (56) Failure when receiving data from the peer

Jim

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users