Re: Sourcefire VRT Rules and Snort Active Response

[Russ Combs <rcombs () sourcefire com>]

On Mon, Jun 20, 2011 at 2:01 PM, Jason D. McCormick <jasonmc () sei cmu edu>wrote:

> Hello all,
>
> I want to make certain that I understand how the Sourcefire VRT rules work
> in conjunction with Active Response modules in Snort.  I am attempting to
> setup a standard IDS implementation that will perform and alerting-only
> function.  To that end, I have setup a Linux host with 4 NICs in it.  The
> first NIC, eth0, is the general network traffic for the Linux host.  The
> other three are connected to span ports at various points within the
> infrastructure.  Since my goal is an inspect/report-only infrastructure, I
> don't want any attempts by Snort to actively respond with Flexresp, Sniping,
> etc.  However to use the Sourcefire VRT rules, it appears that I must have
> the options --enable-active-response, --enable-normalizer, and
> --enable-react compiled in.  The way I understand Snort via the
> documentation and my testing to date is that the general class of "Active
> Response" mechanisms only fire when Snort is running in inline mode.  The
> way I am running snort is using the source-provided initscript which
> executes with the options:
>
>  /usr/sbin/snort -A fast -b -d -D -I -i eth1 -u snort \
>    -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
>
> which should be a pcap-based listening-only mode correct?


Unless you changed it at build time, your default DAQ is pcap, correct.  And
that DAQ doesn't support packet injection, but ...


>  I am correct in my understanding that when executed this way the
> Sourcefire VRT rulesets will not actively response since Snort isn't
> operating in inline mode, yes?

Snort can still send active responses in IDS mode, so make sure that this
line or similar is commented out of your snort.conf:

# config response: eth0 attempts 2.

> If I've failed to RTFM something and there's documentation on this facet of
> Snort that I've missed, please point me to it.
Thanks in advance!
> --
> Jason McCormick
>
>
>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation