Snort mailing list archives
Re: Active response not working in 2.9.0.4 ?
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 22 Sep 2011 15:20:38 -0400
Sounds like you may not have Snort configured correctly, in which case RHEL6 won't be any better. The daq-mode option sets the DAQ mode, not the policy mode. -Q sets both if that is the only relevant option set. Have a look at section 1.9.5 of the Snort Manual. On Thu, Sep 22, 2011 at 7:19 AM, Risto Vaarandi <risto.vaarandi () seb ee>wrote:
On 09/20/2011 02:23 PM, Risto Vaarandi wrote:On 09/19/2011 10:07 PM, Russ Combs wrote:Can you explain what exactly is not working? Can you run snort with --daq dump --daq-var load-mode=read-file -Q arguments and look at inline-out.pcap?...Then I discovered accidentally that if inline mode is set not with -Q (I had used this option so far), but rather with '--daq-mode inline', things suddenly started running as expected. So it seems to me that for some reason the -Q command line option gets not exactly the same treatment as '--daq-mode inline' which influences the 'reject' action and 'resp' rule option....it appears that --daq-mode inline without -Q will actually not enable inline mode, and the 'drop' rules will not work anymore. It seems that trying rhel6 is the only option left. br, ristoOn Mon, Sep 19, 2011 at 12:42 PM, Risto Vaarandi<risto.vaarandi () seb ee <mailto:risto.vaarandi () seb ee>> wrote: hi all, I recall of having issues with active response for 2.9.0.4 on RHEL5(seethe post below and my own post from last March). I am now running Snort-2.9.1 and on RHEL5 the issues are still there. Despite'configure--enable-active-response' (this should be the default) and changing options in the config and rule files, the 'reject' action is not working. I have had no issues whatsoever in the past withsnort-2.8.Is active response known to be broken on RHEL5? If there is anyonewhohas got this feature working on this particular platform, pleaseshareyour knowledge. BR, risto On 03/19/2011 05:22 AM, Jim Hranicky wrote: > On Thu, 17 Mar 2011 13:39:58 -0500 > "Tudor Panaitescu"<TPanaitescu () colorcon com <mailto:TPanaitescu () colorcon com>> wrote: > >> I just compiled and installed 2.9.0.4 on RHEL5 and 6 boxes (of course I >> have daq, libpcap1, libnet and libdnet on the systems) andI'venoticed >> that rules configured w/ resp:reset_both,icmp_all don't seemto be>> resetting connections as supposed to. > > I had 3 issues with active response: > > - Reset packets were being sent with a TTL of 0. They didn't go very far :-) > - Reset packets had the original ethernet addresses of the packets they were > copied from. They therefore didn't make it to the router. > - Once those were fixed, only the first rule parse wouldfireresets. > > The attached patch (for 2.9.0.2) fixed those problems for me,andnow it's > working quite well. Hopefully you'll find it to be of use toyou. [1]> > > > >------------------------------------------------------------------------------> Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > > > > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs& more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all thelatestSnort news!------------------------------------------------------------------------------All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!------------------------------------------------------------------------------All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news!------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Active response not working in 2.9.0.4 ? Risto Vaarandi (Sep 19)
- Re: Active response not working in 2.9.0.4 ? Russ Combs (Sep 19)
- Re: Active response not working in 2.9.0.4 ? Risto Vaarandi (Sep 20)
- Re: Active response not working in 2.9.0.4 ? Risto Vaarandi (Sep 22)
- Re: Active response not working in 2.9.0.4 ? Russ Combs (Sep 22)
- Re: Active response not working in 2.9.0.4 ? Risto Vaarandi (Sep 20)
- Re: Active response not working in 2.9.0.4 ? Russ Combs (Sep 19)