Re: Snort REACT Response

["Hui Cao (huica)" <huica () cisco com>]

Hi Peter,

Most likely, this is caused by configuration of NFQ, not snort. How did you config it?

Best,
Hui.

From: Peter Fraser <pjfraser82 () gmail com<mailto:pjfraser82 () gmail com>>
Date: Tuesday, December 2, 2014 at 11:45 PM
To: Hui Cao <huica () cisco com<mailto:huica () cisco com>>
Cc: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: Re: [Snort-devel] Snort REACT Response

Hui and Ed,

Oops forgot attachments.



On Wed, Dec 3, 2014 at 3:43 PM, Peter Fraser <pjfraser82 () gmail com<mailto:pjfraser82 () gmail com>> wrote:
Hui and Ed,

Ok, Thanks again for the response. Here is what I can tell you so far.

Based on an email i have received from Hui, I performed the following:

Created a small snort.conf (attached snort.conf). (relying on default response html template)
Created a sample pcap file (attached httpd.pcap)

Ran a dump using sort and captured inline-out.pcap (Attached)

Command ran: snort -c snort.conf -r httpd.pcap  -A cmg -K none  --daq dump --daq-var load-mode=read-file -Q

I can confirm that when running it in this configuration that it works and the response packet is indeed in 
inline-out.pcap. This is good news in the sense that it would seem that snort is compiled correctly and returning 
active responses.

I will respond with another email with my next set of tests.

Thanks again.

Pete




On Wed, Dec 3, 2014 at 11:38 AM, Peter Fraser <pjfraser82 () gmail com<mailto:pjfraser82 () gmail com>> wrote:
Hi,

Attached is my snort.conf

Thanks for the response. I provide the complete packet captures etc when I get a chance to set this up this afternoon.

Cheers.

On Wed, Dec 3, 2014 at 1:47 AM, Hui cao <huica () cisco com<mailto:huica () cisco com>> wrote:
Hi Peter,

Can you run your configuration with Dump daq and -r <pcap> in command line?  ( --daq dump --daq-var load-mode=read-file 
-Q ). You should see the response page in the inline-out.pcap if the snort configuration is correct.

Can you provide pcap when this fails?

Best,
Hui.

On 12/01/2014 11:22 PM, Peter Fraser wrote:
Hi,

Does anyone know if there are any issues with the correct stable release and the REACT response. I cannot get it to 
respond with the HTML template.

Below is an email I have sent to snort user group but have not had alot of traction.

Thanks

--------------------------------

Hi,

I have setup snort running as an IPS using NFQUEUE.

I can detect rules and run block and deny on them however I cannot seem to get react to respond with a html page.

here is my configure command:

./configure --enable-sourcefire --enable-open-appid --enable-react --enable-flexrsp3

I am running Snort  2.9.7.0

my rule example is:

drop tcp any any -> any $HTTP_PORTS  (msg:"http://www.news.com.au<http://www.news.com.au/>"; 
content:"news.com.au<http://news.com.au/>"; react: msg; sid:283; rev:1;)

I have followed the docs and I am happy to accept all defaults at this stage with regard to the response but the 
connection still just times out regardless.

Any help is greatly appreciated.

Cheers



------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk



_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge 
net>https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!