Re: snort react action

[free <free.aaa () gmail com>]

Albert,
thanks for response.
> # snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.8.0 GRE (Build 229)
>    ''''    By Martin Roesch & The Snort Team: 
> http://www.snort.org/contact#team
>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All 
> rights reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.6.2
>            Using PCRE version: 8.35 2014-04-04
>            Using ZLIB version: 1.2.8

start command:
> # /usr/local/bin/snort -D -q -N -m 027 -d -l /var/log/snort -c 
> /etc/snort/snort.conf -i eth1

rule (only 1 rule) and config attached.


06.04.2016 17:47, Al Lewis (allewi) пишет:
> Hello,
>
>         What version of snort are you using?
>         What rule are you using?

>         What command are you using to start snort?
>         Do you have a config file you can share?
>
> Need a little more information sorry.
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi () cisco com
>
>
> -----Original Message-----
> From: free [mailto:free.aaa () gmail com]
> Sent: Wednesday, April 06, 2016 3:28 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] snort react action
>
> Hi all!
> I made some rules with react action in them. With afpacket daq mode all is working fine, I see hijacked responses on 
> the client. But when I switch daq to pfring react stops working. In logs I see that snort is matching the rule, but no 
> action... Any help?
>
> Thanks in advance!
> Best regards,
> Alex
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: rule.txt
Description:

Attachment: conf.txt
Description:

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!