Re: Snort REACT Response

[Peter Fraser <pjfraser82 () gmail com>]

Hi,

Attached is my snort.conf

Thanks for the response. I provide the complete packet captures etc when I
get a chance to set this up this afternoon.

Cheers.

On Wed, Dec 3, 2014 at 1:47 AM, Hui cao <huica () cisco com> wrote:

>  Hi Peter,
>
> Can you run your configuration with Dump daq and -r <pcap> in command
> line?  ( --daq dump --daq-var load-mode=read-file -Q ). You should see the
> response page in the inline-out.pcap if the snort configuration is correct.
>
> Can you provide pcap when this fails?
>
> Best,
> Hui.
>
> On 12/01/2014 11:22 PM, Peter Fraser wrote:
>
> Hi,
>
> Does anyone know if there are any issues with the correct stable release
> and the REACT response. I cannot get it to respond with the HTML template.
>
>  Below is an email I have sent to snort user group but have not had alot
> of traction.
>
>  Thanks
>
>  --------------------------------
>
>  Hi,
>
>  I have setup snort running as an IPS using NFQUEUE.
>
>  I can detect rules and run block and deny on them however I cannot seem
> to get react to respond with a html page.
>
>  here is my configure command:
>
>  ./configure --enable-sourcefire --enable-open-appid --enable-react
>  --enable-flexrsp3
>
>  I am running Snort  2.9.7.0
>
>  my rule example is:
>
>  drop tcp any any -> any $HTTP_PORTS  (msg:"http://www.news.com.au";;
> content:"news.com.au"; react: msg; sid:283; rev:1;)
>
>  I have followed the docs and I am happy to accept all defaults at this
> stage with regard to the response but the connection still just times out
> regardless.
>
>  Any help is greatly appreciated.
>
>  Cheers
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, 
> FREEhttp://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Snort-devel mailing listSnort-devel@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

Attachment: snort (1).conf
Description:

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!