Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Sourcefire VRT Rules and Snort Active Response

From: "Jason D. McCormick" <jasonmc () sei cmu edu>
Date: Mon, 20 Jun 2011 14:01:20 -0400
Hello all,

I want to make certain that I understand how the Sourcefire VRT rules work in conjunction with Active Response modules 
in Snort.  I am attempting to setup a standard IDS implementation that will perform and alerting-only function.  To 
that end, I have setup a Linux host with 4 NICs in it.  The first NIC, eth0, is the general network traffic for the 
Linux host.  The other three are connected to span ports at various points within the infrastructure.  Since my goal is 
an inspect/report-only infrastructure, I don't want any attempts by Snort to actively respond with Flexresp, Sniping, 
etc.  However to use the Sourcefire VRT rules, it appears that I must have the options --enable-active-response, 
--enable-normalizer, and --enable-react compiled in.  The way I understand Snort via the documentation and my testing 
to date is that the general class of "Active Response" mechanisms only fire when Snort is running in inline mode.  The 
way I am running snort is using the source-provided initscript which executes with the options:

  /usr/sbin/snort -A fast -b -d -D -I -i eth1 -u snort \
    -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1

which should be a pcap-based listening-only mode correct?  I am correct in my understanding that when executed this way 
the Sourcefire VRT rulesets will not actively response since Snort isn't operating in inline mode, yes?

If I've failed to RTFM something and there's documentation on this facet of Snort that I've missed, please point me to 
it.

Thanks in advance!

--
Jason McCormick




------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: