Snort mailing list archives
Re: Sourcefire VRT Rules and Snort Active Response
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 21 Jun 2011 11:13:55 -0400
On Mon, Jun 20, 2011 at 4:29 PM, Jason D. McCormick <jasonmc () sei cmu edu>wrote:
I am correct in my understanding that when executed this way the Sourcefire VRT rulesets will not actively response since Snort isn't operating in inline mode, yes?Snort can still send active responses in IDS mode, so make sure that this line or similar is commented out of your snort.conf:# config response: eth0 attempts 2.Yes it is, and that's how it comes from Sourcefire in the VRT ruleset too. I just wanted to make sure there wasn't some other "default" value that made this still work with that line commented out (as opposed to set to 0 or something). Sounds like I'm good then?
Yes. You can double check that you see this (but it will only show if you attempted to enable): WARNING: active responses disabled since DAQ can't inject packets. And your "Packet I/O Totals" at shutdown should show "Injected: 0".
- Jason ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 21)
- Re: Sourcefire VRT Rules and Snort Active Response Jason D. McCormick (Jun 20)
- Re: Sourcefire VRT Rules and Snort Active Response Russ Combs (Jun 20)