[Snort-users] 2.9.1.2/2.9.2 and Active Response

Jim Hranicky jfh at ...5250...
Fri Dec 2 11:24:13 EST 2011


Hey folks, I've just recently upgraded to 2.9.1.2 and it seems
that active response has stopped working again. I went ahead
and installed 2.9.2-rc and it seems to have the same problem.

I tracked down some bugs in 2.9.0.5 and sent in some patches, 
but it seems something may still be amiss or I'm missing something. 

Configure flags: 

  CFLAGS="-O2 -I/opt/pf/include" LDFLAGS="-L/opt/pf/lib
  -Wl,-rpath=/opt/pf/lib" ./configure --prefix=/opt/pf --enable-ipv6
  --enable-zlib --enable-reload --enable-flexresp3
  --with-libpfring-includes=/opt/pf/include
  --with-libpfring-libraries=/opt/pf/lib --enable-perfprofiling

response line:
  
  config response: device eth1 dst_mac 00:d0:02:1c:f0:00 attempts 10

I tripped some rules I have set up with resets, and the rules tripped,
but the RSTs weren't sent (checked with tcpdump on the response 
interface). I also gdb attached to one of the running snorts and set
a breakpoint at active.c:Active_SendResponses(), tripped the rules,
but the bp wasn't ever hit either. 

Any ideas as to the problem? I can keep noodling around with gdb and
see what I find. 

-- 
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida




More information about the Snort-users mailing list