Re: Snort-3.0: WARNING: active responses disabled since DAQ can't inject packets.

[Russ <rucombs () cisco com>]

On 3/26/15 1:04 PM, Yuhui Lin wrote:
> > hi,
> >
> > I was testing snort 3.0-alpha. While I execute the following command, 
> > I got a warning everytime.
> >
> > command:
> >
> > $SNORT3_PATH/bin/snort -c $SNORT3_PATH/etc/snort.lua -R 
> > $SNORT3_PATH/myRule.rules -l $SNORT3_PATH/logTest -r 
> > $SNORT3_PATH/myPcap.pcap -A alert_fast -n 100
> >
> >
> > warning:
> > WARNING: active responses disabled since DAQ can't inject packets.
> >
> > I don’t understand why my DAQ can’t inject packets...
There are 2 things going on ... first, the pcap DAQ is for readback 
only.  It does not support packet injection.  Second, active response 
modules were partly enabling if loaded instead of upon configuration.  A 
fix for that was push to github earlier today.
> > $SNORT3_PATH/bin/snort -c $SNORT3_PATH/etc/snort.lua -R 
> > $SNORT3_PATH/myRule.rules -l $SNORT3_PATH/logTest -r 
> > $SNORT3_PATH/myPcap.pcap -A alert_fast -n 100
> > --------------------------------------------------
> > o")~ Snort++ 3.0.0-a1-140
> > --------------------------------------------------
> > Loading /root/yuhui/snort3/etc/snort.lua:
> > back_orifice
> > classifications
> > ftp_data
> > stream_tcp
> > ftp_server
> > http_inspect
> > telnet
> > port_scan
> > rpc_decode
> > arp_spoof
> > perf_monitor
> > stream_icmp
> > stream_ip
> > stream
> > ftp_client
> > references
> > stream_udp
> > wizard
> > Finished /root/yuhui/snort3/etc/snort.lua.
> > Loading rules:
> > Loading /root/yuhui/snort3/myRule.rules:
> > Finished /root/yuhui/snort3/myRule.rules.
> > Finished rules.
> > --------------------------------------------------
> > rule counts
> >        total rules loaded: 10
> >   text rules: 10
> > option chains: 10
> > chain headers: 4
> > --------------------------------------------------
> > rule port counts
> > tcp     udp    icmp      ip
> >      any   7       6       5       4
> >       nc   0       0       0       1
> > --------------------------------------------------
> > pcap DAQ configured to read-file.
> > Commencing packet processing
> > ++ [0] /root/yuhui/snort3/myPcap.pcap
> >
> > WARNING: active responses disabled since DAQ can't inject packets.
> >
> > Thank you,
> > Yuhui
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!