Snort mailing list archives
Sourcefire VRT Rules and Snort Active Response
From: "Jason D. McCormick" <jasonmc () sei cmu edu>
Date: Mon, 20 Jun 2011 14:01:20 -0400
Hello all, I want to make certain that I understand how the Sourcefire VRT rules work in conjunction with Active Response modules in Snort. I am attempting to setup a standard IDS implementation that will perform and alerting-only function. To that end, I have setup a Linux host with 4 NICs in it. The first NIC, eth0, is the general network traffic for the Linux host. The other three are connected to span ports at various points within the infrastructure. Since my goal is an inspect/report-only infrastructure, I don't want any attempts by Snort to actively respond with Flexresp, Sniping, etc. However to use the Sourcefire VRT rules, it appears that I must have the options --enable-active-response, --enable-normalizer, and --enable-react compiled in. The way I understand Snort via the documentation and my testing to date is that the general class of "Active Response" mechanisms only fire when Snort is running in inline mode. The way I am running snort is using the source-provided initscript which executes with the options: /usr/sbin/snort -A fast -b -d -D -I -i eth1 -u snort \ -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1 which should be a pcap-based listening-only mode correct? I am correct in my understanding that when executed this way the Sourcefire VRT rulesets will not actively response since Snort isn't operating in inline mode, yes? If I've failed to RTFM something and there's documentation on this facet of Snort that I've missed, please point me to it. Thanks in advance! -- Jason McCormick ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 21)
- Re: Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 20)