Snort mailing list archives
Re: active response in passive mode
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 5 Aug 2013 10:36:40 -0400
On Fri, Aug 2, 2013 at 12:35 AM, Seyed Amin Salehi < salehi.seyedamin () gmail com> wrote:
hi.i install snort 2.9.5 on backtrack.i config snort.conf like this: preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 25, \ min_response_seconds 25 config response: device ip attempts 20 i write a rule in local.rules like this: alert tcp 10.10.9.40 any -> x.x.x.x 80 (msg:"target site visited";resp:rst_snd;sid:1000000;) i start snort like this: snort -q -c /etc/snort/snort.conf -A console my browser before staring snort was closed and i clear the cache of browser.after start snort when i open the browser and want to visit target site active response don't work.the output of snort like this: 07/30-08:36:44.368316 [**] [1:1000000:0] target site visited [**] [Priority: 0] {TCP} 10.10.9.40:51444 -> x.x.x.x:80 but active response dont work and i can see the target site.why?
Active response in passive mode is a hit or miss operation. Because the response is not injected directly in the stream at the appropriate point, it uses a technique called "strafing" to try to land a TCP reset in the receiving window. You can try capturing a pcap that shows the 25 responses going out to see how for off they are. It is possible that the code needs tweaking, but it is also possible that it is working correctly and you are just unlucky. An inline solution would avoid this issue.
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- active response in passive mode Seyed Amin Salehi (Aug 01)
- Re: active response in passive mode Russ Combs (Aug 05)
- <Possible follow-ups>
- active response in passive mode Seyed Amin Salehi (Aug 05)