[Snort-users] 18.104.22.168/2.9.2 and Active Response
jfh at ...5250...
Fri Dec 2 11:24:13 EST 2011
Hey folks, I've just recently upgraded to 22.214.171.124 and it seems
that active response has stopped working again. I went ahead
and installed 2.9.2-rc and it seems to have the same problem.
I tracked down some bugs in 126.96.36.199 and sent in some patches,
but it seems something may still be amiss or I'm missing something.
CFLAGS="-O2 -I/opt/pf/include" LDFLAGS="-L/opt/pf/lib
-Wl,-rpath=/opt/pf/lib" ./configure --prefix=/opt/pf --enable-ipv6
--enable-zlib --enable-reload --enable-flexresp3
config response: device eth1 dst_mac 00:d0:02:1c:f0:00 attempts 10
I tripped some rules I have set up with resets, and the rules tripped,
but the RSTs weren't sent (checked with tcpdump on the response
interface). I also gdb attached to one of the running snorts and set
a breakpoint at active.c:Active_SendResponses(), tripped the rules,
but the bp wasn't ever hit either.
Any ideas as to the problem? I can keep noodling around with gdb and
see what I find.
IT Security Engineer
Office of Information Security and Compliance
University of Florida
More information about the Snort-users