2.9.1.2/2.9.2 and Active Response

[Jim Hranicky <jfh () ufl edu>]

Hey folks, I've just recently upgraded to 2.9.1.2 and it seems
that active response has stopped working again. I went ahead
and installed 2.9.2-rc and it seems to have the same problem.

I tracked down some bugs in 2.9.0.5 and sent in some patches, 
but it seems something may still be amiss or I'm missing something. 

Configure flags: 

  CFLAGS="-O2 -I/opt/pf/include" LDFLAGS="-L/opt/pf/lib
  -Wl,-rpath=/opt/pf/lib" ./configure --prefix=/opt/pf --enable-ipv6
  --enable-zlib --enable-reload --enable-flexresp3
  --with-libpfring-includes=/opt/pf/include
  --with-libpfring-libraries=/opt/pf/lib --enable-perfprofiling

response line:
  
  config response: device eth1 dst_mac 00:d0:02:1c:f0:00 attempts 10

I tripped some rules I have set up with resets, and the rules tripped,
but the RSTs weren't sent (checked with tcpdump on the response 
interface). I also gdb attached to one of the running snorts and set
a breakpoint at active.c:Active_SendResponses(), tripped the rules,
but the bp wasn't ever hit either. 

Any ideas as to the problem? I can keep noodling around with gdb and
see what I find. 

-- 
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!