Re: Active response not working in 2.9.0.4 ?

[Jim Hranicky <jfh () ufl edu>]

On Thu, 17 Mar 2011 13:39:58 -0500
"Tudor Panaitescu" <TPanaitescu () colorcon com> wrote:

> I just compiled and installed 2.9.0.4 on RHEL5 and 6 boxes (of course I
> have daq, libpcap1, libnet and libdnet on the systems) and I've noticed
> that rules configured w/ resp:reset_both,icmp_all don't seem to be
> resetting connections as supposed to.

I had 3 issues with active response: 

  - Reset packets were being sent with a TTL of 0. They didn't go very far :-)
  - Reset packets had the original ethernet addresses of the packets they were
    copied from. They therefore didn't make it to the router. 
  - Once those were fixed, only the first rule parse would fire resets. 

The attached patch (for 2.9.0.2) fixed those problems for me, and now it's
working quite well. Hopefully you'll find it to be of use to you. [1]

-- 
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida

[1] Standard disclaimers apply. If anyone spots a bug please let me know!

Attachment: snort-2.9.0.2.patch
Description:

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users