Snort mailing list archives
Re: Active response not working in 2.9.0.4 ?
From: Jim Hranicky <jfh () ufl edu>
Date: Sat, 19 Mar 2011 11:33:11 -0400
On Sat, 19 Mar 2011 09:10:54 -0500 "Tudor Panaitescu" <TPanaitescu () colorcon com> wrote:
As soon as I put the router's MAC in the config, "configure response: device <interface>/<MAC>, attempts 5" snort refused to start: "FATAL ERROR: Active response: can't open <interface><some sort of nonsense like #010.y#018.$#027#010>!".
Hmm...do you have a comma after "<MAC>" ? The format should be (for anyone
using my patch):
config response: device eth2/00:01:02:03:04:05 attempts 10
OTOH, if there were a comma in the <mac> address, eth_pton() should have failed
on a bad ethernet address.
It looks like that error's occurring here:
s_link = eth_open(dev);
if ( !s_link )
FatalError("%s: can't open %s!\n",
"Active response", dev);
s_send = Active_SendEth;
Meaning the dev that was parsed out of <dev>/<mac> seems to be bad.
Not sure, maybe you tripped a bug in my patch. If you want to send me the
actual config line off-list I'll look at it and see if I can see the problem.
May not get to it until tomorrow, though.
I was sniffing on the sensor's reset interface, when I sniffed on the attacker interface I couldn't see the resets. Also, on the sensor, the ttl of the resets sent was 64 which seems to be OK.
Ok.
Confusing enough, on the upstream router (cisco) I've got: "%FW-6-DROP_TCP_PKT: Dropping tcp pkt <sensor> => <attacker> due to SYN inside current window .... " but I couldn't see any SYNs in the sniffer trace
Got me there. Jim ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 17)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- unsubscribe jeff jennings (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- <Possible follow-ups>
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 18)