[Snort-users] Sourcefire VRT Rules and Snort Active Response
rcombs at ...1935...
Mon Jun 20 14:37:18 EDT 2011
On Mon, Jun 20, 2011 at 2:01 PM, Jason D. McCormick <jasonmc at ...15309...>wrote:
> Hello all,
> I want to make certain that I understand how the Sourcefire VRT rules work
> in conjunction with Active Response modules in Snort. I am attempting to
> setup a standard IDS implementation that will perform and alerting-only
> function. To that end, I have setup a Linux host with 4 NICs in it. The
> first NIC, eth0, is the general network traffic for the Linux host. The
> other three are connected to span ports at various points within the
> infrastructure. Since my goal is an inspect/report-only infrastructure, I
> don't want any attempts by Snort to actively respond with Flexresp, Sniping,
> etc. However to use the Sourcefire VRT rules, it appears that I must have
> the options --enable-active-response, --enable-normalizer, and
> --enable-react compiled in. The way I understand Snort via the
> documentation and my testing to date is that the general class of "Active
> Response" mechanisms only fire when Snort is running in inline mode. The
> way I am running snort is using the source-provided initscript which
> executes with the options:
> /usr/sbin/snort -A fast -b -d -D -I -i eth1 -u snort \
> -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
> which should be a pcap-based listening-only mode correct?
Unless you changed it at build time, your default DAQ is pcap, correct. And
that DAQ doesn't support packet injection, but ...
> I am correct in my understanding that when executed this way the
> Sourcefire VRT rulesets will not actively response since Snort isn't
> operating in inline mode, yes?
Snort can still send active responses in IDS mode, so make sure that this
line or similar is commented out of your snort.conf:
# config response: eth0 attempts 2.
> If I've failed to RTFM something and there's documentation on this facet of
> Snort that I've missed, please point me to it.
Thanks in advance!
> Jason McCormick
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please see http://www.snort.org/docs for documentation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users