Re: Active response not working in 2.9.0.4 ?

["Tudor Panaitescu" <TPanaitescu () colorcon com>]

Hi Jim

Thanks for looking into this, no worries about doing this quick, enjoy the
weekend !

I tried both w/ and w/o the comma w/ the same results. In the Snort 2.9.0
docs they mentioned the comma, that's why I had it there. I've noticed some
other discrepancies i.e. in the included snort.conf, on the stream5_global
config if you don't put commas before max_active_responses and before
max_response_seconds, active response is reported in the logs as inactive:
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes,
track_icmp no, max_active_responses 2, min_response_seconds 5; at startup
snort doesn't complain but quietly ignores those.

I am using a bond device on the box in question but I have tried it on
other boxes w/ ethX interfaces w/ the same results. the config line looked
like: "configure response: device bond0/01:02:03:04:05:06[,] attempts 5"

That router log got me too but I would not worry about the cisco message, I
trust more the tcpdump stuff vs. what the router is reporting and AFAICT
there was no SYN anywhere. Maybe a TAC for Cisco is in order...

Thanks a bunch and have a great weekend !
TP



From:   Jim Hranicky <jfh () ufl edu>
To:     "Tudor Panaitescu" <TPanaitescu () colorcon com>
Cc:     snort-users () lists sourceforge net
Date:   03/19/2011 11:33 AM
Subject:        Re: [Snort-users] Active response not working in 2.9.0.4 ?



On Sat, 19 Mar 2011 09:10:54 -0500
"Tudor Panaitescu" <TPanaitescu () colorcon com> wrote:

> As soon as I put the router's MAC in the config, "configure response:
> device <interface>/<MAC>, attempts 5" snort refused to start: "FATAL
ERROR:
> Active response: can't open <interface><some sort of nonsense like
> #010.y#018.$#027#010>!".

Hmm...do you have a comma after "<MAC>" ? The format should be (for anyone
using my patch):

  config response: device eth2/00:01:02:03:04:05 attempts 10

OTOH, if there were a comma in the <mac> address, eth_pton() should have
failed
on a bad ethernet address.

It looks like that error's occurring here:

        s_link = eth_open(dev);

        if ( !s_link )
            FatalError("%s: can't open %s!\n",
                "Active response", dev);
        s_send = Active_SendEth;

Meaning the dev that was parsed out of <dev>/<mac> seems to be bad.

Not sure, maybe you tripped a bug in my patch. If you want to send me the
actual config line off-list I'll look at it and see if I can see the
problem.
May not get to it until tomorrow, though.

> I was sniffing on the sensor's reset interface, when I sniffed on the
> attacker interface I couldn't see the resets. Also, on the sensor, the
ttl
> of the resets sent was 64 which seems to be OK.

Ok.

> Confusing enough, on the upstream router (cisco) I've got:
> "%FW-6-DROP_TCP_PKT: Dropping tcp pkt <sensor> => <attacker> due to  SYN
> inside current window .... " but I couldn't see any SYNs in the sniffer
> trace

Got me there.

Jim

 ----------------------
Colorcon - Your Formulation Partner

Visit us at http://www.colorcon.com                                                                                     
                                                                                                                        
                                                                                                                        
                                        
Colorcon is committed to energy conservation and to the reduction of waste. Please consider the environment before you 
print this e-mail.                                                                                                      
                                                                                                                        
                                         
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                        
"This e-mail may contain information that is confidential or privileged.                                                
                                                                                                                        
                                                                                                                        
                                        
If you are not the intended recipient, do not use, print or distribute this e-mail or any attachments. Please notify 
the sender and delete the e-mail and any attachments. Thank you."

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users