Snort mailing list archives
2.9.1.2/2.9.2 and Active Response
From: Jim Hranicky <jfh () ufl edu>
Date: Fri, 2 Dec 2011 11:24:13 -0500
Hey folks, I've just recently upgraded to 2.9.1.2 and it seems that active response has stopped working again. I went ahead and installed 2.9.2-rc and it seems to have the same problem. I tracked down some bugs in 2.9.0.5 and sent in some patches, but it seems something may still be amiss or I'm missing something. Configure flags: CFLAGS="-O2 -I/opt/pf/include" LDFLAGS="-L/opt/pf/lib -Wl,-rpath=/opt/pf/lib" ./configure --prefix=/opt/pf --enable-ipv6 --enable-zlib --enable-reload --enable-flexresp3 --with-libpfring-includes=/opt/pf/include --with-libpfring-libraries=/opt/pf/lib --enable-perfprofiling response line: config response: device eth1 dst_mac 00:d0:02:1c:f0:00 attempts 10 I tripped some rules I have set up with resets, and the rules tripped, but the RSTs weren't sent (checked with tcpdump on the response interface). I also gdb attached to one of the running snorts and set a breakpoint at active.c:Active_SendResponses(), tripped the rules, but the bp wasn't ever hit either. Any ideas as to the problem? I can keep noodling around with gdb and see what I find. -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- 2.9.1.2/2.9.2 and Active Response Jim Hranicky (Dec 02)