Snort mailing list archives
Re: Active response on two interfaces
From: Jon Larson <jlarson () catbird com>
Date: Wed, 09 May 2012 10:18:44 -0700
Snort is Version 2.9.0.5 DAQ is 0.5 I think. The storm occurs when I have a rule configured like this:alert tcp [192.168.10.10] any -> [192.168.20.11] any (resp:reset_both; flow:to_server,established; )
Anyway, snort isn't really *supposed* to be used like a firewall in this manner so we've moved on.
On 5/8/2012 9:57 PM, Russ Combs wrote:
What version of Snort and DAQ are you using? Snort has a check to prevent RST to RST.On Tue, May 1, 2012 at 7:46 PM, Jon Larson <jlarson () catbird com <mailto:jlarson () catbird com>> wrote:I/we need to get snort to operate on two interfaces. For simplicity, let's just say I want to have snort monitor traffic on eth0, but then send its resets out on eth1. What's the configuration magic to allow this? I've tried something like this in the snort.conf: config response: device eth1 attempts 2 This, however, seems to get snort into this mode (when it detects some TCP connection it's configured to reset) where it "sniffs" back in the RST packet (on the other interface), then sends another RST packet. Kinda like "eating it's own tail". The snort process consumes the CPU and floods the network in this mode. Also is there documentation someone could point me to regarding configuring snort for multiple interfaces? Any and all information would be greatly appreciated! Jonny L. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net <mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Active response on two interfaces Jon Larson (May 01)
- Re: Active response on two interfaces Russ Combs (May 08)
- Re: Active response on two interfaces Jon Larson (May 09)
- Re: Active response on two interfaces Russ Combs (May 09)
- Re: Active response on two interfaces Jon Larson (May 09)
- Re: Active response on two interfaces Russ Combs (May 08)