Snort mailing list archives
Re: Active response not working in 2.9.0.4 ?
From: Risto Vaarandi <risto.vaarandi () seb ee>
Date: Mon, 19 Sep 2011 19:42:33 +0300
hi all, I recall of having issues with active response for 2.9.0.4 on RHEL5 (see the post below and my own post from last March). I am now running Snort-2.9.1 and on RHEL5 the issues are still there. Despite 'configure --enable-active-response' (this should be the default) and changing options in the config and rule files, the 'reject' action is not working. I have had no issues whatsoever in the past with snort-2.8. Is active response known to be broken on RHEL5? If there is anyone who has got this feature working on this particular platform, please share your knowledge. BR, risto On 03/19/2011 05:22 AM, Jim Hranicky wrote:
On Thu, 17 Mar 2011 13:39:58 -0500 "Tudor Panaitescu"<TPanaitescu () colorcon com> wrote:I just compiled and installed 2.9.0.4 on RHEL5 and 6 boxes (of course I have daq, libpcap1, libnet and libdnet on the systems) and I've noticed that rules configured w/ resp:reset_both,icmp_all don't seem to be resetting connections as supposed to.I had 3 issues with active response: - Reset packets were being sent with a TTL of 0. They didn't go very far :-) - Reset packets had the original ethernet addresses of the packets they were copied from. They therefore didn't make it to the router. - Once those were fixed, only the first rule parse would fire resets. The attached patch (for 2.9.0.2) fixed those problems for me, and now it's working quite well. Hopefully you'll find it to be of use to you. [1] ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Active response not working in 2.9.0.4 ? Risto Vaarandi (Sep 19)
- Re: Active response not working in 2.9.0.4 ? Russ Combs (Sep 19)
- Re: Active response not working in 2.9.0.4 ? Risto Vaarandi (Sep 20)
- Re: Active response not working in 2.9.0.4 ? Risto Vaarandi (Sep 22)
- Re: Active response not working in 2.9.0.4 ? Russ Combs (Sep 22)
- Re: Active response not working in 2.9.0.4 ? Risto Vaarandi (Sep 20)
- Re: Active response not working in 2.9.0.4 ? Russ Combs (Sep 19)