[Snort-users] Sourcefire VRT Rules and Snort Active Response

Jason D. McCormick jasonmc at ...15309...
Mon Jun 20 14:01:20 EDT 2011

Hello all,

I want to make certain that I understand how the Sourcefire VRT rules work in conjunction with Active Response modules in Snort.  I am attempting to setup a standard IDS implementation that will perform and alerting-only function.  To that end, I have setup a Linux host with 4 NICs in it.  The first NIC, eth0, is the general network traffic for the Linux host.  The other three are connected to span ports at various points within the infrastructure.  Since my goal is an inspect/report-only infrastructure, I don't want any attempts by Snort to actively respond with Flexresp, Sniping, etc.  However to use the Sourcefire VRT rules, it appears that I must have the options --enable-active-response, --enable-normalizer, and --enable-react compiled in.  The way I understand Snort via the documentation and my testing to date is that the general class of "Active Response" mechanisms only fire when Snort is running in inline mode.  The way I am running snort is using the source-provided initscript which executes with the options:

  /usr/sbin/snort -A fast -b -d -D -I -i eth1 -u snort \
    -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1

which should be a pcap-based listening-only mode correct?  I am correct in my understanding that when executed this way the Sourcefire VRT rulesets will not actively response since Snort isn't operating in inline mode, yes?

If I've failed to RTFM something and there's documentation on this facet of Snort that I've missed, please point me to it.

Thanks in advance!

Jason McCormick

More information about the Snort-users mailing list