[Snort-users] Sourcefire VRT Rules and Snort Active Response

Russ Combs rcombs at ...1935...
Tue Jun 21 11:13:55 EDT 2011


On Mon, Jun 20, 2011 at 4:29 PM, Jason D. McCormick <jasonmc at ...15309...>wrote:

> >> I am correct in my understanding that when executed this
> >> way the Sourcefire VRT rulesets will not actively
> >> response since Snort isn't operating in inline mode, yes?
>
> > Snort can still send active responses in IDS mode, so make
> > sure that this line or similar is commented out of your
> > snort.conf:
>
> > # config response: eth0 attempts 2.
>
> Yes it is, and that's how it comes from Sourcefire in the VRT ruleset too.
>  I just wanted to make sure there wasn't some other "default" value that
> made this still work with that line commented out (as opposed to set to 0 or
> something).  Sounds like I'm good then?
>

Yes.  You can double check that you see this (but it will only show if you
attempted to enable):

WARNING: active responses disabled since DAQ can't inject packets.

And your "Packet I/O Totals" at shutdown should show "Injected:
0".

>
> - Jason
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110621/08053a77/attachment.html>


More information about the Snort-users mailing list