Snort mailing list archives
snort does not send active response in passive mode
From: Anton <warm () stack ru>
Date: Thu, 19 Sep 2013 15:07:47 +0700
Good day. I'm trying to set up snort with active response in passive mode. Here is my setup: [switch port with mirrored 802.1q traffic]===[eth0 used for monitoring only]-[PC with snort]-[eth4 used for management and has network access]===[network] So, I have compiled snort-2.9.5.5 with ./configure \ --prefix=/usr \ --sysconfdir=/etc \ --mandir=/usr/man \ --localstatedir=/var \ --enable-pthread \ --enable-linux-smp-stats \ --enable-zlib \ --enable-active-response --enable-react --enable-flexresp3 I've read instructions from README.active preprocessor stream5_global: \ track_tcp yes, \ track_udp no, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 4, \ min_response_seconds 2 ... # this was not required but I select only 80 port for better performance. preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ ports server \ 80 \ , \ ports both 80 3128 \ 8080 ... config response: device eth4 dst_mac 00:1a:30:62:7c:40 attempts 2 # this is MAC of the default gateway I have test rule: drop tcp any any -> any 80 (msg:"TEST0";\ content:"TEST0";\ resp:reset_source;\ sid:1;) I start snort like this: snort -q \ --daq-var buffer_size_mb=128MB \ --treat-drop-as-alert \ -n 10000000 \ -i eth0 \ -l /var/log/snort \ -K none \ -c /etc/snort/snort.conf \ -A console \ -F 'bpf-file' bpf-file contains filter for test machine only. It looks like "vlan and host X.X.X.65". vlan because it selects 802.1q frames. I start snort then I do "telnet somehost 80" and print TEST0. Somehost prints HTML page: <html> <head><title>400 Bad Request</title></head> <body bgcolor="white"> <center><h1>400 Bad Request</h1></center> <hr><center>nginx</center> </body> </html> and closes connection. Snort does not send anything but it writes alert messages to the console - snort can see traffic described in rule. I tried to start "tcpdump -ni eth4 'host X.X.X.65'" on snort machine - it does not send anything to X.X.X.65 at all. Active response can be workable or can be unworkable but snort should send some reset packets to X.X.X.65 but is does not. How to find out the reason on which snort does not send rst (or other) packets ? If snort in passive mode should not send any active response - why ? Documentation says that it should send rst in passive mode. "Configure the number of attempts to land a TCP RST within the session's current window (so that it is accepted by the receiving TCP). This sequence "strafing" is really only useful in passive mode." - from documentation (http://manual.snort.org/node26.html). ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort does not send active response in passive mode Anton (Sep 19)
- Re: snort does not send active response in passive mode Russ Combs (Sep 19)
- Re: snort does not send active response in passive mode Anton (Sep 19)
- Re: snort does not send active response in passive mode Anton (Sep 19)
- Re: snort does not send active response in passive mode Anton (Sep 19)
- Re: snort does not send active response in passive mode Russ Combs (Sep 19)