Snort mailing list archives
Re: Snort REACT Response
From: "Hui Cao (huica)" <huica () cisco com>
Date: Wed, 3 Dec 2014 15:10:08 +0000
Hi Peter, Most likely, this is caused by configuration of NFQ, not snort. How did you config it? Best, Hui. From: Peter Fraser <pjfraser82 () gmail com<mailto:pjfraser82 () gmail com>> Date: Tuesday, December 2, 2014 at 11:45 PM To: Hui Cao <huica () cisco com<mailto:huica () cisco com>> Cc: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: Re: [Snort-devel] Snort REACT Response Hui and Ed, Oops forgot attachments. On Wed, Dec 3, 2014 at 3:43 PM, Peter Fraser <pjfraser82 () gmail com<mailto:pjfraser82 () gmail com>> wrote: Hui and Ed, Ok, Thanks again for the response. Here is what I can tell you so far. Based on an email i have received from Hui, I performed the following: Created a small snort.conf (attached snort.conf). (relying on default response html template) Created a sample pcap file (attached httpd.pcap) Ran a dump using sort and captured inline-out.pcap (Attached) Command ran: snort -c snort.conf -r httpd.pcap -A cmg -K none --daq dump --daq-var load-mode=read-file -Q I can confirm that when running it in this configuration that it works and the response packet is indeed in inline-out.pcap. This is good news in the sense that it would seem that snort is compiled correctly and returning active responses. I will respond with another email with my next set of tests. Thanks again. Pete On Wed, Dec 3, 2014 at 11:38 AM, Peter Fraser <pjfraser82 () gmail com<mailto:pjfraser82 () gmail com>> wrote: Hi, Attached is my snort.conf Thanks for the response. I provide the complete packet captures etc when I get a chance to set this up this afternoon. Cheers. On Wed, Dec 3, 2014 at 1:47 AM, Hui cao <huica () cisco com<mailto:huica () cisco com>> wrote: Hi Peter, Can you run your configuration with Dump daq and -r <pcap> in command line? ( --daq dump --daq-var load-mode=read-file -Q ). You should see the response page in the inline-out.pcap if the snort configuration is correct. Can you provide pcap when this fails? Best, Hui. On 12/01/2014 11:22 PM, Peter Fraser wrote: Hi, Does anyone know if there are any issues with the correct stable release and the REACT response. I cannot get it to respond with the HTML template. Below is an email I have sent to snort user group but have not had alot of traction. Thanks -------------------------------- Hi, I have setup snort running as an IPS using NFQUEUE. I can detect rules and run block and deny on them however I cannot seem to get react to respond with a html page. here is my configure command: ./configure --enable-sourcefire --enable-open-appid --enable-react --enable-flexrsp3 I am running Snort 2.9.7.0 my rule example is: drop tcp any any -> any $HTTP_PORTS (msg:"http://www.news.com.au<http://www.news.com.au/>"; content:"news.com.au<http://news.com.au/>"; react: msg; sid:283; rev:1;) I have followed the docs and I am happy to accept all defaults at this stage with regard to the response but the connection still just times out regardless. Any help is greatly appreciated. Cheers ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort REACT Response Peter Fraser (Dec 01)
- Re: Snort REACT Response Hui cao (Dec 02)
- Re: Snort REACT Response Peter Fraser (Dec 02)
- Re: Snort REACT Response Peter Fraser (Dec 02)
- Re: Snort REACT Response Peter Fraser (Dec 02)
- Re: Snort REACT Response Hui Cao (huica) (Dec 03)
- Re: Snort REACT Response Peter Fraser (Dec 02)
- Re: Snort REACT Response Hui cao (Dec 02)