Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: active response in passive mode

From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 5 Aug 2013 10:36:40 -0400
On Fri, Aug 2, 2013 at 12:35 AM, Seyed Amin Salehi <
salehi.seyedamin () gmail com> wrote:


hi.i install snort 2.9.5 on backtrack.i config snort.conf like this:
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 25, \
   min_response_seconds 25

config response: device ip attempts 20

i write a rule in local.rules like this:
alert tcp 10.10.9.40 any -> x.x.x.x 80 (msg:"target site
visited";resp:rst_snd;sid:1000000;)
i start snort like this:
snort -q -c /etc/snort/snort.conf -A console
my browser before staring snort was closed and i clear the cache of
browser.after start snort when i open the browser and want to visit target
site active response don't work.the output of snort like this:
07/30-08:36:44.368316  [**] [1:1000000:0] target site visited [**]
[Priority: 0] {TCP} 10.10.9.40:51444 -> x.x.x.x:80
but active response dont work and i can see the target site.why?



Active response in passive mode is a hit or miss operation.  Because the
response is not injected directly in the stream at the appropriate point,
it uses a technique called "strafing" to try to land a TCP reset in the
receiving window.  You can try capturing a pcap that shows the 25 responses
going out to see how for off they are.  It is possible that the code needs
tweaking, but it is also possible that it is working correctly and you are
just unlucky.  An inline solution would avoid this issue.




------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: