Snort mailing list archives
Re: Active response not working in 2.9.0.4 ?
From: "Tudor Panaitescu" <TPanaitescu () colorcon com>
Date: Sat, 19 Mar 2011 09:10:54 -0500
Hi Jim Thanks for your reply again. Mine is passive too. As soon as I put the router's MAC in the config, "configure response: device <interface>/<MAC>, attempts 5" snort refused to start: "FATAL ERROR: Active response: can't open <interface><some sort of nonsense like #010.y#018.$#027#010>!". I was sniffing on the sensor's reset interface, when I sniffed on the attacker interface I couldn't see the resets. Also, on the sensor, the ttl of the resets sent was 64 which seems to be OK. Confusing enough, on the upstream router (cisco) I've got: "%FW-6-DROP_TCP_PKT: Dropping tcp pkt <sensor> => <attacker> due to SYN inside current window .... " but I couldn't see any SYNs in the sniffer trace Thanks, TP From: Jim Hranicky <jfh () ufl edu> To: "Tudor Panaitescu" <TPanaitescu () colorcon com> Cc: snort-users () lists sourceforge net Date: 03/19/2011 09:30 AM Subject: Re: [Snort-users] Active response not working in 2.9.0.4 ? On Sat, 19 Mar 2011 08:14:37 -0500 "Tudor Panaitescu" <TPanaitescu () colorcon com> wrote:
Hi Jim Thanks for you reply and for the patch. Is your sensor inline or
passive ?
I have applied the patch and the active response still doesn't work, not sure what I am missing here, is it a config issue, rule issue ?
Mine is configured passive. Did you put the next hop router's ethernet address in the config?
I have sniffed on the same interface and I didn't see any ICMP being
sent,
I saw TCP resets but still the connection didn't seem to have dropped, still saw a push from the sensor to attacker right after the resets were sent.
Where were you sniffing? If you're sniffing on the reset interface make sure your TTLs are > 0. If you can, sniff on the target box on your network to make sure the resets are getting there. FWIW, I'm doing reset:both . Once you get it working it's pretty satisfying: curl -s -S -k -H 'Host: <bad host>' -H 'Connection: Keep-Alive' http://<bad-url> curl: (56) Failure when receiving data from the peer Jim ---------------------- Colorcon - Your Formulation Partner Visit us at http://www.colorcon.com Colorcon is committed to energy conservation and to the reduction of waste. Please consider the environment before you print this e-mail. "This e-mail may contain information that is confidential or privileged. If you are not the intended recipient, do not use, print or distribute this e-mail or any attachments. Please notify the sender and delete the e-mail and any attachments. Thank you."
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 17)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- unsubscribe jeff jennings (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 19)
- Re: Active response not working in 2.9.0.4 ? Jim Hranicky (Mar 18)
- <Possible follow-ups>
- Active response not working in 2.9.0.4 ? Tudor Panaitescu (Mar 18)