Re: Active response not working in 2.9.0.4 ?

[Risto Vaarandi <risto.vaarandi () seb ee>]

On 09/19/2011 10:07 PM, Russ Combs wrote:
> Can you explain what exactly is not working?
>
> Can you run snort with --daq dump --daq-var load-mode=read-file -Q
> arguments and look at inline-out.pcap?

Thanks for the suggestions, I used them to do some debugging for couple 
of hours.

To answer your first question, I run into the issue when running Snort 
in inline mode with 'reject' actions (for terminating some TCP sessions 
with RST-packets). While these rules were operating properly for 
Snort-2.8, I wasn't able to get 'reject' action working for 2.9.0.4 and 
2.9.1 on RHEL5.

However, when running Snort with dump DAQ as you suggested, I was able 
to see RST packets in pcap files. I tried then the ipq DAQ both in 
passive and inline mode, with tcpdump running on network interface. With 
the passive mode, RST packets were there, but not for inline mode.

Then I discovered accidentally that if inline mode is set not with -Q (I 
had used this option so far), but rather with '--daq-mode inline', 
things suddenly started running as expected. So it seems to me that for 
some reason the -Q command line option gets not exactly the same 
treatment as '--daq-mode inline' which influences the 'reject' action 
and 'resp' rule option.

But thanks for your help, I'll try to avoid -Q for the time being.

kind regards,
risto

> On Mon, Sep 19, 2011 at 12:42 PM, Risto Vaarandi <risto.vaarandi () seb ee
> <mailto:risto.vaarandi () seb ee>> wrote:
>
>     hi all,
>     I recall of having issues with active response for 2.9.0.4 on RHEL5 (see
>     the post below and my own post from last March). I am now running
>     Snort-2.9.1 and on RHEL5 the issues are still there. Despite 'configure
>     --enable-active-response' (this should be the default) and changing
>     options in the config and rule files, the 'reject' action is not
>     working. I have had no issues whatsoever in the past with snort-2.8.
>     Is active response known to be broken on RHEL5? If there is anyone who
>     has got this feature working on this particular platform, please share
>     your knowledge.
>     BR,
>     risto
>
>     On 03/19/2011 05:22 AM, Jim Hranicky wrote:
>      > On Thu, 17 Mar 2011 13:39:58 -0500
>      > "Tudor Panaitescu"<TPanaitescu () colorcon com
>     <mailto:TPanaitescu () colorcon com>>  wrote:
>      >
>      >> I just compiled and installed 2.9.0.4 on RHEL5 and 6 boxes (of
>     course I
>      >> have daq, libpcap1, libnet and libdnet on the systems) and I've
>     noticed
>      >> that rules configured w/ resp:reset_both,icmp_all don't seem to be
>      >> resetting connections as supposed to.
>      >
>      > I had 3 issues with active response:
>      >
>      >    - Reset packets were being sent with a TTL of 0. They didn't
>     go very far :-)
>      >    - Reset packets had the original ethernet addresses of the
>     packets they were
>      >      copied from. They therefore didn't make it to the router.
>      >    - Once those were fixed, only the first rule parse would fire
>     resets.
>      >
>      > The attached patch (for 2.9.0.2) fixed those problems for me, and
>     now it's
>      > working quite well. Hopefully you'll find it to be of use to you. [1]
>      >
>      >
>      >
>      >
>      >
>     ------------------------------------------------------------------------------
>      > Colocation vs. Managed Hosting
>      > A question and answer guide to determining the best fit
>      > for your organization - today and in the future.
>      > http://p.sf.net/sfu/internap-sfd2d
>      >
>      >
>      >
>      > _______________________________________________
>      > Snort-users mailing list
>      > Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>      > Go to this URL to change user options or unsubscribe:
>      > https://lists.sourceforge.net/lists/listinfo/snort-users
>      > Snort-users list archive:
>      > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>     ------------------------------------------------------------------------------
>     BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
>     Learn about the latest advances in developing for the
>     BlackBerry&reg; mobile platform with sessions, labs & more.
>     See new tools and technologies. Register for BlackBerry&reg; DevCon
>     today!
>     http://p.sf.net/sfu/rim-devcon-copy1
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>     Please visit http://blog.snort.org to stay current on all the latest
>     Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!