Snort mailing list archives
Re: Active response not working in 2.9.0.4 ?
From: "Tudor Panaitescu" <TPanaitescu () colorcon com>
Date: Sat, 19 Mar 2011 11:14:37 -0500
Hi Jim Thanks for looking into this, no worries about doing this quick, enjoy the weekend ! I tried both w/ and w/o the comma w/ the same results. In the Snort 2.9.0 docs they mentioned the comma, that's why I had it there. I've noticed some other discrepancies i.e. in the included snort.conf, on the stream5_global config if you don't put commas before max_active_responses and before max_response_seconds, active response is reported in the logs as inactive: preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no, max_active_responses 2, min_response_seconds 5; at startup snort doesn't complain but quietly ignores those. I am using a bond device on the box in question but I have tried it on other boxes w/ ethX interfaces w/ the same results. the config line looked like: "configure response: device bond0/01:02:03:04:05:06[,] attempts 5" That router log got me too but I would not worry about the cisco message, I trust more the tcpdump stuff vs. what the router is reporting and AFAICT there was no SYN anywhere. Maybe a TAC for Cisco is in order... Thanks a bunch and have a great weekend ! TP From: Jim Hranicky <jfh () ufl edu> To: "Tudor Panaitescu" <TPanaitescu () colorcon com> Cc: snort-users () lists sourceforge net Date: 03/19/2011 11:33 AM Subject: Re: [Snort-users] Active response not working in 2.9.0.4 ? On Sat, 19 Mar 2011 09:10:54 -0500 "Tudor Panaitescu" <TPanaitescu () colorcon com> wrote:
As soon as I put the router's MAC in the config, "configure response: device <interface>/<MAC>, attempts 5" snort refused to start: "FATAL
ERROR:
Active response: can't open <interface><some sort of nonsense like #010.y#018.$#027#010>!".
Hmm...do you have a comma after "<MAC>" ? The format should be (for anyone using my patch): config response: device eth2/00:01:02:03:04:05 attempts 10 OTOH, if there were a comma in the <mac> address, eth_pton() should have failed on a bad ethernet address. It looks like that error's occurring here: s_link = eth_open(dev); if ( !s_link ) FatalError("%s: can't open %s!\n", "Active response", dev); s_send = Active_SendEth; Meaning the dev that was parsed out of <dev>/<mac> seems to be bad. Not sure, maybe you tripped a bug in my patch. If you want to send me the actual config line off-list I'll look at it and see if I can see the problem. May not get to it until tomorrow, though.
I was sniffing on the sensor's reset interface, when I sniffed on the attacker interface I couldn't see the resets. Also, on the sensor, the
ttl
of the resets sent was 64 which seems to be OK.
Ok.
Confusing enough, on the upstream router (cisco) I've got: "%FW-6-DROP_TCP_PKT: Dropping tcp pkt <sensor> => <attacker> due to SYN inside current window .... " but I couldn't see any SYNs in the sniffer trace
Got me there. Jim ---------------------- Colorcon - Your Formulation Partner Visit us at http://www.colorcon.com Colorcon is committed to energy conservation and to the reduction of waste. Please consider the environment before you print this e-mail. "This e-mail may contain information that is confidential or privileged. If you are not the intended recipient, do not use, print or distribute this e-mail or any attachments. Please notify the sender and delete the e-mail and any attachments. Thank you."
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 17)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- unsubscribe jeff jennings (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- <Possible follow-ups>
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 18)