Snort mailing list archives
Re: Active response not working in 2.9.0.4 ?
From: "Tudor Panaitescu" <TPanaitescu () colorcon com>
Date: Sat, 19 Mar 2011 08:14:37 -0500
Hi Jim Thanks for you reply and for the patch. Is your sensor inline or passive ? I have applied the patch and the active response still doesn't work, not sure what I am missing here, is it a config issue, rule issue ? I have sniffed on the same interface and I didn't see any ICMP being sent, I saw TCP resets but still the connection didn't seem to have dropped, still saw a push from the sensor to attacker right after the resets were sent. Still digging, I'll let you know if I find anything else interesting. Thanks, TP From: Jim Hranicky <jfh () ufl edu> To: "Tudor Panaitescu" <TPanaitescu () colorcon com> Cc: snort-users () lists sourceforge net Date: 03/18/2011 11:22 PM Subject: Re: [Snort-users] Active response not working in 2.9.0.4 ? On Thu, 17 Mar 2011 13:39:58 -0500 "Tudor Panaitescu" <TPanaitescu () colorcon com> wrote:
I just compiled and installed 2.9.0.4 on RHEL5 and 6 boxes (of course I have daq, libpcap1, libnet and libdnet on the systems) and I've noticed that rules configured w/ resp:reset_both,icmp_all don't seem to be resetting connections as supposed to.
I had 3 issues with active response: - Reset packets were being sent with a TTL of 0. They didn't go very far :-) - Reset packets had the original ethernet addresses of the packets they were copied from. They therefore didn't make it to the router. - Once those were fixed, only the first rule parse would fire resets. The attached patch (for 2.9.0.2) fixed those problems for me, and now it's working quite well. Hopefully you'll find it to be of use to you. [1] -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida [1] Standard disclaimers apply. If anyone spots a bug please let me know![attachment "snort-2.9.0.2.patch" deleted by Tudor Panaitescu/NA/Colorcon] ---------------------- Colorcon - Your Formulation Partner Visit us at http://www.colorcon.com Colorcon is committed to energy conservation and to the reduction of waste. Please consider the environment before you print this e-mail. "This e-mail may contain information that is confidential or privileged. If you are not the intended recipient, do not use, print or distribute this e-mail or any attachments. Please notify the sender and delete the e-mail and any attachments. Thank you."
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 17)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- unsubscribe jeff jennings (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- <Possible follow-ups>
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 18)