[Snort-devel] Snort REACT Response

Peter Fraser pjfraser82 at ...2499...
Tue Dec 2 23:45:20 EST 2014


Hui and Ed,

Oops forgot attachments.



On Wed, Dec 3, 2014 at 3:43 PM, Peter Fraser <pjfraser82 at ...2499...> wrote:

> Hui and Ed,
>
> Ok, Thanks again for the response. Here is what I can tell you so far.
>
> Based on an email i have received from Hui, I performed the following:
>
> Created a small snort.conf (attached snort.conf). (relying on default
> response html template)
> Created a sample pcap file (attached httpd.pcap)
>
> Ran a dump using sort and captured inline-out.pcap (Attached)
>
> Command ran: snort -c snort.conf -r httpd.pcap  -A cmg -K none  --daq dump
> --daq-var load-mode=read-file -Q
>
> I can confirm that when running it in this configuration that it works and
> the response packet is indeed in inline-out.pcap. This is good news in the
> sense that it would seem that snort is compiled correctly and returning
> active responses.
>
> I will respond with another email with my next set of tests.
>
> Thanks again.
>
> Pete
>
>
>
>
> On Wed, Dec 3, 2014 at 11:38 AM, Peter Fraser <pjfraser82 at ...2499...>
> wrote:
>
>> Hi,
>>
>> Attached is my snort.conf
>>
>> Thanks for the response. I provide the complete packet captures etc when
>> I get a chance to set this up this afternoon.
>>
>> Cheers.
>>
>> On Wed, Dec 3, 2014 at 1:47 AM, Hui cao <huica at ...3461...> wrote:
>>
>>>  Hi Peter,
>>>
>>> Can you run your configuration with Dump daq and -r <pcap> in command
>>> line?  ( --daq dump --daq-var load-mode=read-file -Q ). You should see the
>>> response page in the inline-out.pcap if the snort configuration is correct.
>>>
>>> Can you provide pcap when this fails?
>>>
>>> Best,
>>> Hui.
>>>
>>> On 12/01/2014 11:22 PM, Peter Fraser wrote:
>>>
>>> Hi,
>>>
>>> Does anyone know if there are any issues with the correct stable release
>>> and the REACT response. I cannot get it to respond with the HTML template.
>>>
>>>  Below is an email I have sent to snort user group but have not had
>>> alot of traction.
>>>
>>>  Thanks
>>>
>>>  --------------------------------
>>>
>>>  Hi,
>>>
>>>  I have setup snort running as an IPS using NFQUEUE.
>>>
>>>  I can detect rules and run block and deny on them however I cannot
>>> seem to get react to respond with a html page.
>>>
>>>  here is my configure command:
>>>
>>>  ./configure --enable-sourcefire --enable-open-appid --enable-react
>>>  --enable-flexrsp3
>>>
>>>  I am running Snort  2.9.7.0
>>>
>>>  my rule example is:
>>>
>>>  drop tcp any any -> any $HTTP_PORTS  (msg:"http://www.news.com.au";
>>> content:"news.com.au"; react: msg; sid:283; rev:1;)
>>>
>>>  I have followed the docs and I am happy to accept all defaults at this
>>> stage with regard to the response but the connection still just times out
>>> regardless.
>>>
>>>  Any help is greatly appreciated.
>>>
>>>  Cheers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREEhttp://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>>>
>>>
>>>
>>> _______________________________________________
>>> Snort-devel mailing listSnort-devel at ...3458...://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>>> Get technology previously reserved for billion-dollar corporations, FREE
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>> Archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>>>
>>> Please visit http://blog.snort.org for the latest news about Snort!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141203/4c9e076f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf
Type: application/octet-stream
Size: 292 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141203/4c9e076f/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpd.pcap
Type: application/vnd.tcpdump.pcap
Size: 4636399 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141203/4c9e076f/attachment.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: inline-out.pcap
Type: application/vnd.tcpdump.pcap
Size: 240434 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141203/4c9e076f/attachment-0001.pcap>


More information about the Snort-devel mailing list