Snort mailing list archives
about snort active responses in passive mode
From: chinghsiung <chinghsiung () honeynet org tw>
Date: Fri, 13 Feb 2015 23:58:13 +0800
Hello ,now i have a problem with snort active responses is not work , snort.conf ======== REAMDE.active config response: device eth1 attempts 20 config react: /etc/snort/block.html .......... .......... ......... ........... preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 25, \ min_response_seconds 1 ============= about rule: alert tcp any any -> any $HTTP_PORTS (msg:"aa710"; content:"x49.aa710.com"; sid:8; react:block,msg;) alert tcp any any -> any $HTTP_PORTS (msg:"sex"; content:"www.sex.com"; sid:15; react:block,msg;) alert tcp any any -> any $HTTP_PORTS (msg:"hilive"; content:"www.hilive.tv"; react:block,msg; sid:14; ) i already ./configure --enable-sourcefire --enable-active-response --enable-flexresp3 --enable-react and make make install [switch port with mirrored 802.1q traffic]===[eth0 used for monitoring only]-[PC with snort]-[eth1 used for send tcp -rst (active response) and has network access]===[network] anyone know how to slove this problem ? i have not look up any block page or tcp -rst ? but when i use vmware workstation to run this active response it's work !! -- Honeynet Taiwan Chapter Hsu, ChingHsiung(清雄) chinghsiung () honeynet org tw ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- about snort active responses in passive mode chinghsiung (Feb 13)
- Re: about snort active responses in passive mode Al Lewis (allewi) (Feb 13)
- Re: about snort active responses in passive mode chinghsiung (Feb 13)
- Re: about snort active responses in passive mode Al Lewis (allewi) (Feb 13)