Active response not working in 2.9.0.4 ?

["Tudor Panaitescu" <TPanaitescu () colorcon com>]

Hi

Anyone w/ any suggestions here ?

Thanks,
TP

__________________

Hi
I just compiled and installed 2.9.0.4 on RHEL5 and 6 boxes (of course I
have daq, libpcap1, libnet and libdnet on the systems) and I've noticed
that rules configured w/ resp:reset_both,icmp_all don't seem to be
resetting connections as supposed to.

Snort was compiled w/: --enable-ipv6 --enable-gre --enable-mpls
--enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm
--enable-perfprofiling --enable-zlib --enable-active-response
--enable-normalizer --enable-reload --enable-react --enable-flexresp3.

Also in the config file, snort.conf, I have:
....
config response: device <interface> attempts 5
.....
preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes,
track_icmp no, max_active_responses 5, min_response_seconds 1

Even the log file upon starting up snort says:
......
Send up to 5 active responses
Wait at least 1 seconds between responses
..........

I even put a sniffer on the interface and I didn't see any icmp sent to the
source of the packets that triggered the rule w/ resp

Anyone can help w/ this ?

Thanks in advance
Tudor
 ----------------------
Colorcon - Your Formulation Partner

Visit us at http://www.colorcon.com                                                                                     
                                                                                                                        
                                                                                                                        
                                        
Colorcon is committed to energy conservation and to the reduction of waste. Please consider the environment before you 
print this e-mail.                                                                                                      
                                                                                                                        
                                         
                                                                                                                        
                                                                                                                        
                                                                                                                        
                                        
"This e-mail may contain information that is confidential or privileged.                                                
                                                                                                                        
                                                                                                                        
                                        
If you are not the intended recipient, do not use, print or distribute this e-mail or any attachments. Please notify 
the sender and delete the e-mail and any attachments. Thank you."

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users