[Snort-devel] Snort REACT Response

Hui cao huica at ...3461...
Tue Dec 2 09:47:31 EST 2014


Hi Peter,

Can you run your configuration with Dump daq and -r <pcap> in command 
line?  ( --daq dump --daq-var load-mode=read-file -Q ). You should see 
the response page in the inline-out.pcap if the snort configuration is 
correct.

Can you provide pcap when this fails?

Best,
Hui.
On 12/01/2014 11:22 PM, Peter Fraser wrote:
> Hi,
>
> Does anyone know if there are any issues with the correct stable 
> release and the REACT response. I cannot get it to respond with the 
> HTML template.
>
> Below is an email I have sent to snort user group but have not had 
> alot of traction.
>
> Thanks
>
> --------------------------------
>
> Hi,
>
> I have setup snort running as an IPS using NFQUEUE.
>
> I can detect rules and run block and deny on them however I cannot 
> seem to get react to respond with a html page.
>
> here is my configure command:
>
> ./configure --enable-sourcefire --enable-open-appid 
> --enable-react --enable-flexrsp3
>
> I am running Snort  2.9.7.0
>
> my rule example is:
>
> drop tcp any any -> any $HTTP_PORTS  (msg:"http://www.news.com.au 
> <http://www.news.com.au/>"; content:"news.com.au 
> <http://news.com.au/>"; react: msg; sid:283; rev:1;)
>
> I have followed the docs and I am happy to accept all defaults at this 
> stage with regard to the response but the connection still just times 
> out regardless.
>
> Any help is greatly appreciated.
>
> Cheers
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141202/f539f98a/attachment.html>


More information about the Snort-devel mailing list