[Snort-devel] Snort REACT Response

Peter Fraser pjfraser82 at ...2499...
Tue Dec 2 23:43:59 EST 2014


Hui and Ed,

Ok, Thanks again for the response. Here is what I can tell you so far.

Based on an email i have received from Hui, I performed the following:

Created a small snort.conf (attached snort.conf). (relying on default
response html template)
Created a sample pcap file (attached httpd.pcap)

Ran a dump using sort and captured inline-out.pcap (Attached)

Command ran: snort -c snort.conf -r httpd.pcap  -A cmg -K none  --daq dump
--daq-var load-mode=read-file -Q

I can confirm that when running it in this configuration that it works and
the response packet is indeed in inline-out.pcap. This is good news in the
sense that it would seem that snort is compiled correctly and returning
active responses.

I will respond with another email with my next set of tests.

Thanks again.

Pete




On Wed, Dec 3, 2014 at 11:38 AM, Peter Fraser <pjfraser82 at ...2499...> wrote:

> Hi,
>
> Attached is my snort.conf
>
> Thanks for the response. I provide the complete packet captures etc when I
> get a chance to set this up this afternoon.
>
> Cheers.
>
> On Wed, Dec 3, 2014 at 1:47 AM, Hui cao <huica at ...3461...> wrote:
>
>>  Hi Peter,
>>
>> Can you run your configuration with Dump daq and -r <pcap> in command
>> line?  ( --daq dump --daq-var load-mode=read-file -Q ). You should see the
>> response page in the inline-out.pcap if the snort configuration is correct.
>>
>> Can you provide pcap when this fails?
>>
>> Best,
>> Hui.
>>
>> On 12/01/2014 11:22 PM, Peter Fraser wrote:
>>
>> Hi,
>>
>> Does anyone know if there are any issues with the correct stable release
>> and the REACT response. I cannot get it to respond with the HTML template.
>>
>>  Below is an email I have sent to snort user group but have not had alot
>> of traction.
>>
>>  Thanks
>>
>>  --------------------------------
>>
>>  Hi,
>>
>>  I have setup snort running as an IPS using NFQUEUE.
>>
>>  I can detect rules and run block and deny on them however I cannot seem
>> to get react to respond with a html page.
>>
>>  here is my configure command:
>>
>>  ./configure --enable-sourcefire --enable-open-appid --enable-react
>>  --enable-flexrsp3
>>
>>  I am running Snort  2.9.7.0
>>
>>  my rule example is:
>>
>>  drop tcp any any -> any $HTTP_PORTS  (msg:"http://www.news.com.au";
>> content:"news.com.au"; react: msg; sid:283; rev:1;)
>>
>>  I have followed the docs and I am happy to accept all defaults at this
>> stage with regard to the response but the connection still just times out
>> regardless.
>>
>>  Any help is greatly appreciated.
>>
>>  Cheers
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREEhttp://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>>
>>
>>
>> _______________________________________________
>> Snort-devel mailing listSnort-devel at ...3458...://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>> Archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141203/cbc44df3/attachment.html>


More information about the Snort-devel mailing list