[Snort-users] snort does not send active response in passive mode
rcombs at ...1935...
Thu Sep 19 14:25:05 EDT 2013
You can start by using the dump DAQ to see that you are alerting and
generating responses. Comment out the "config response" line and add
"--daq dump" to your Snort command line. Then do your test and check that
the resulting inline-out.pcap has your response(s) as expected.
If that is working, it is a matter of getting your config response to work
Hope that helps.
On Thu, Sep 19, 2013 at 4:07 AM, Anton <warm at ...2377...> wrote:
> Good day.
> I'm trying to set up snort with active response in passive mode. Here is
> my setup:
> [switch port with mirrored 802.1q traffic]===[eth0 used for monitoring
> only]-[PC with snort]-[eth4 used for management
> and has network access]===[network]
> So, I have compiled snort-22.214.171.124 with
> ./configure \
> --prefix=/usr \
> --sysconfdir=/etc \
> --mandir=/usr/man \
> --localstatedir=/var \
> --enable-pthread \
> --enable-linux-smp-stats \
> --enable-zlib \
> --enable-active-response --enable-react --enable-flexresp3
> I've read instructions from README.active
> preprocessor stream5_global: \
> track_tcp yes, \
> track_udp no, \
> track_icmp no, \
> max_tcp 262144, \
> max_udp 131072, \
> max_active_responses 4, \
> min_response_seconds 2
> # this was not required but I select only 80 port for better performance.
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs
> 180, \
> overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
> ports server \
> 80 \
> , \
> ports both 80 3128 \
> config response: device eth4 dst_mac 00:1a:30:62:7c:40 attempts 2 # this
> is MAC of the default gateway
> I have test rule:
> drop tcp any any -> any 80 (msg:"TEST0";\
> I start snort like this:
> snort -q \
> --daq-var buffer_size_mb=128MB \
> --treat-drop-as-alert \
> -n 10000000 \
> -i eth0 \
> -l /var/log/snort \
> -K none \
> -c /etc/snort/snort.conf \
> -A console \
> -F 'bpf-file'
> bpf-file contains filter for test machine only. It looks like "vlan and
> host X.X.X.65". vlan because it selects 802.1q
> I start snort then I do "telnet somehost 80" and print TEST0. Somehost
> prints HTML page:
> <head><title>400 Bad Request</title></head>
> <body bgcolor="white">
> <center><h1>400 Bad Request</h1></center>
> and closes connection. Snort does not send anything but it writes alert
> messages to the console - snort can see
> traffic described in rule. I tried to start "tcpdump -ni eth4 'host
> X.X.X.65'" on snort machine - it does not send
> anything to X.X.X.65 at all.
> Active response can be workable or can be unworkable but snort should send
> some reset packets to X.X.X.65 but is does
> How to find out the reason on which snort does not send rst (or other)
> packets ? If snort in passive mode should not
> send any active response - why ? Documentation says that it should send
> rst in passive mode.
> "Configure the number of attempts to land a TCP RST within the session's
> current window (so that it is accepted by the
> receiving TCP). This sequence "strafing" is really only useful in passive
> mode." - from documentation
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users