Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort3: Active: active.device is mandatory

From: Meridoff via Snort-devel <snort-devel () lists snort org>
Date: Tue, 15 Oct 2019 16:52:38 +0300
"you have something configured which requires active support "

Yes, I have reject {} subsytem and 1 reject rule. But no device and no
max_responses and others settled.

вт, 15 окт. 2019 г. в 16:49, Meridoff <oagvozd () gmail com>:


Ok, thanks.
But Active.enabled if max_responses > 0 or if react/reject rules used (it
calls set_enabled(true)). I have such rule. So ,
in Active::thread_init() calls open(sc->respond_device.c_str()) for empty
device string.

I can configure active.device and max_responses. Though I can't find this
requirements in doc/active.txt.

Thanks


вт, 15 окт. 2019 г. в 15:46, Russ Combs (rucombs) <rucombs () cisco com>:


That error indicates that you have something configured which requires
active support which is not the case for a default config.  Apart from
active.max_responses, dce_smb.smb_file_inspection and react, reject, or
rewrite rules will attempt to enable responses.  These internal enables
will possibly go away but for now you need to update your config.



*From: *Snort-devel <snort-devel-bounces () lists snort org> on behalf of
Meridoff via Snort-devel <snort-devel () lists snort org>
*Reply-To: *Meridoff <oagvozd () gmail com>
*Date: *Tuesday, October 15, 2019 at 7:12 AM
*To: *"snort-devel () lists snort org" <snort-devel () lists snort org>
*Subject: *Re: [Snort-devel] snort3: Active: active.device is mandatory



Currently if I not cofigured active {}, using defaults for example I have
such thing in log:



" FATAL ERROR: Active response: can't open "





вт, 15 окт. 2019 г. в 14:08, Meridoff <oagvozd () gmail com>:

Hello, if I not configured active.device we have in Active::open (char
*dev) :



*    if ( dev && strcasecmp(dev, "ip") )*

*    {*

*        s_link = eth_open(dev);*

*...*

So here we trying to eth_open for empty device.



May be change for that if no device specifed - we using "ip":



For example:

*    if ( dev && strlen(dev)  && strcasecmp(dev, "ip") )*

*    {*

*        s_link = eth_open(dev);*



...



_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: