![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Sourcefire VRT Rules and Snort Active Response
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 20 Jun 2011 14:37:18 -0400
On Mon, Jun 20, 2011 at 2:01 PM, Jason D. McCormick <jasonmc () sei cmu edu>wrote:
Hello all, I want to make certain that I understand how the Sourcefire VRT rules work in conjunction with Active Response modules in Snort. I am attempting to setup a standard IDS implementation that will perform and alerting-only function. To that end, I have setup a Linux host with 4 NICs in it. The first NIC, eth0, is the general network traffic for the Linux host. The other three are connected to span ports at various points within the infrastructure. Since my goal is an inspect/report-only infrastructure, I don't want any attempts by Snort to actively respond with Flexresp, Sniping, etc. However to use the Sourcefire VRT rules, it appears that I must have the options --enable-active-response, --enable-normalizer, and --enable-react compiled in. The way I understand Snort via the documentation and my testing to date is that the general class of "Active Response" mechanisms only fire when Snort is running in inline mode. The way I am running snort is using the source-provided initscript which executes with the options: /usr/sbin/snort -A fast -b -d -D -I -i eth1 -u snort \ -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1 which should be a pcap-based listening-only mode correct?
Unless you changed it at build time, your default DAQ is pcap, correct. And that DAQ doesn't support packet injection, but ...
I am correct in my understanding that when executed this way the Sourcefire VRT rulesets will not actively response since Snort isn't operating in inline mode, yes?
Snort can still send active responses in IDS mode, so make sure that this line or similar is commented out of your snort.conf: # config response: eth0 attempts 2.
If I've failed to RTFM something and there's documentation on this facet of Snort that I've missed, please point me to it.
Thanks in advance!
-- Jason McCormick ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 21)
- Re: Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 20)