[Snort-users] snort does not send active response in passive mode

Russ Combs rcombs at ...1935...
Thu Sep 19 14:25:05 EDT 2013


You can start by using the dump DAQ to see that you are alerting and
generating responses.  Comment out the "config response" line and add
"--daq dump" to your Snort command line.  Then do your test and check that
the resulting inline-out.pcap has your response(s) as expected.

If that is working, it is a matter of getting your config response to work
correctly.

Hope that helps.
Russ


On Thu, Sep 19, 2013 at 4:07 AM, Anton <warm at ...2377...> wrote:

> Good day.
>
> I'm trying to set up snort with active response in passive mode. Here is
> my setup:
>
>
> [switch port with mirrored 802.1q traffic]===[eth0 used for monitoring
> only]-[PC with snort]-[eth4 used for management
> and has network access]===[network]
>
> So, I have compiled snort-2.9.5.5 with
>
> ./configure \
>   --prefix=/usr \
>   --sysconfdir=/etc \
>   --mandir=/usr/man \
>   --localstatedir=/var \
>   --enable-pthread \
>   --enable-linux-smp-stats \
>   --enable-zlib \
>   --enable-active-response --enable-react --enable-flexresp3
>
>
> I've read instructions from README.active
>
> preprocessor stream5_global: \
>    track_tcp yes, \
>    track_udp no, \
>    track_icmp no, \
>    max_tcp 262144, \
>    max_udp 131072, \
>    max_active_responses 4, \
>    min_response_seconds 2
>
> ...
> # this was not required but I select only 80 port for better performance.
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
> 180, \
>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>     ports server \
>         80 \
>         , \
>     ports both 80 3128 \
>         8080
> ...
>
> config response: device eth4 dst_mac 00:1a:30:62:7c:40 attempts 2 # this
> is MAC of the default gateway
>
>
> I have test rule:
>
> drop tcp any any -> any 80 (msg:"TEST0";\
>         content:"TEST0";\
>         resp:reset_source;\
>         sid:1;)
>
> I start snort like this:
>
> snort   -q \
>         --daq-var buffer_size_mb=128MB \
>         --treat-drop-as-alert \
>         -n 10000000 \
>         -i eth0 \
>         -l /var/log/snort \
>         -K none \
>         -c /etc/snort/snort.conf \
>         -A console \
>         -F 'bpf-file'
>
> bpf-file contains filter for test machine only. It looks like "vlan and
> host X.X.X.65". vlan because it selects 802.1q
> frames.
>
> I start snort then I do "telnet somehost 80"  and print TEST0. Somehost
> prints HTML page:
>
> <html>
> <head><title>400 Bad Request</title></head>
> <body bgcolor="white">
> <center><h1>400 Bad Request</h1></center>
> <hr><center>nginx</center>
> </body>
> </html>
>
> and closes connection. Snort does not send anything but it writes alert
> messages to the console - snort can see
> traffic described in rule. I tried to start "tcpdump -ni eth4 'host
> X.X.X.65'" on snort machine - it does not send
> anything to X.X.X.65 at all.
>
> Active response can be workable or can be unworkable but snort should send
> some reset packets to X.X.X.65 but is does
> not.
>
> How to find out the reason on which snort does not send rst (or other)
> packets ? If snort in passive mode should not
> send any active response - why ? Documentation says that it should send
> rst in passive mode.
>
> "Configure the number of attempts to land a TCP RST within the session's
> current window (so that it is accepted by the
> receiving TCP). This sequence "strafing" is really only useful in passive
> mode." - from documentation
> (http://manual.snort.org/node26.html).
>
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130919/e6c8582b/attachment.html>


More information about the Snort-users mailing list