[Snort-users] Active respone in passive mode

Seyed Amin Salehi salehi.seyedamin at ...11827...
Wed Jul 31 00:05:41 EDT 2013


hi.i install snort 2.9.5 on backtrack 5 R3.i config snort.conf like this:
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 25, \
   min_response_seconds 25

config response: device ip attempts 20

i write a rule in local.rules like this:
alert tcp 10.10.9.40 any -> x.x.x.x 80 (msg:"target site
visited";resp:rst_snd;sid:1000000;)
i start snort like this:
snort -q -c /etc/snort/snort.conf -A console
my browser before staring snort was closed and i clear the cache of
browser.after start snort when i open the browser and want to visit target
site active response don't work.the output of snort like this:
07/30-08:36:44.368316  [**] [1:1000000:0] target site visited [**]
[Priority: 0] {TCP} 10.10.9.40:51444 -> x.x.x.x:80
but active response dont work and i can see the target site.why?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130731/b5138860/attachment.html>


More information about the Snort-users mailing list