Snort mailing list archives
Re: Help! An error about "reject" action with build261
From: sofardware via Snort-users <snort-users () lists snort org>
Date: Thu, 17 Oct 2019 10:59:20 +0800 (CST)
Hi,
Tank for you help, I will do as what you have done.
在 2019-10-16 17:53:02,"Meridoff" <oagvozd () gmail com> 写道:
I had such problem. For me It's enough to specify is active.device = "ip | ethN" . Minimally.
ср, 16 окт. 2019 г. в 10:39, sofardware via Snort-users <snort-users () lists snort org>:
Hi all,
I start snort(build261) failed with reject = { } in snort.lua, and the error is as follow . But it can be
done successfully with snort version of build 250.
The error is as follow:
FATAL: Active response: can't open
Fatal Error, Quitting..
After my debuging , I found when add the follow config to snort.lua can resolve the above erro with reject = {}:
active =
{
attempts = 2,
device = "eth0",
dst_mac = "00:06:76:DD:5F:E3",
}
The snort3_manual says:dst_mac will change response destination MAC address, if the device is eth0, eth1, eth2 etc.
Otherwise, response destination MAC address is derived from packet.
What is more important, I do not want to set a fixed MAC address rather than want the response destination MAC address
is derived from packet.
So How to resolve it?
Another question, what is difference between reject and reset as rule action ?
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Help please!!! snort_build261 can not reload config successfully with daq in nfq, (continued)
- Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq Russ Combs (rucombs) via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 10)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq Michael Altizer (mialtize) via Snort-users (Oct 10)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq Michael Altizer (mialtize) via Snort-users (Oct 11)
- Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- new Help please!!! snort_build261 appid can not identify http sofardware via Snort-users (Oct 12)
- Help! An error about "reject" action with build261 sofardware via Snort-users (Oct 16)
- Re: Help! An error about "reject" action with build261 Meridoff via Snort-users (Oct 16)
- Re: Help! An error about "reject" action with build261 sofardware via Snort-users (Oct 16)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 sofardware via Snort-users (Oct 10)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 Michael Altizer (mialtize) via Snort-users (Oct 11)