[Snort-users] snort does not send active response in passive mode
warm at ...2377...
Fri Sep 20 01:02:22 EDT 2013
"--daq dump" with commented out string "config response ..." produces inline-out.pcap with [RST,ACK]. I tried to write
dump with out running snort and did my test - there was no any RST in this case -- snort works and wants to produce RST
packet but RST for some reason does not leave snort host.
What can be wrong with "config response: device eth4 dst_mac 00:1a:30:62:7c:40" ?
May be there are some non-obvious requirements to the system running snort for active response to work ?
I mean kernel version or network card or some thing else. I use Linux kernel 220.127.116.11 -- yes, this is very old machine
and I can not upgrade it without significant reason. Can the old kernel be the reason why active response does not send
And also ethernet driver is old too:
# ethtool -i eth4
... all the software on this machine is old :-). I only compile new versions of needful software like snort, tcpdump,
What is the most likely cause of active response does not sends packets ?
On Fri, 20 Sep 2013 01:25:05 +0700
Russ Combs <rcombs at ...1935...> wrote:
> You can start by using the dump DAQ to see that you are alerting and generating responses. Comment out the "config
> response" line and add "--daq dump" to your Snort command line. Then do your test and check that the resulting
> inline-out.pcap has your response(s) as expected.
> If that is working, it is a matter of getting your config response to work correctly.
> Hope that helps.
> On Thu, Sep 19, 2013 at 4:07 AM, Anton <warm at ...2377...> wrote:
> Good day.
> I'm trying to set up snort with active response in passive mode. Here is my setup:
> [switch port with mirrored 802.1q traffic]===[eth0 used for monitoring only]-[PC with snort]-[eth4 used for management
> and has network access]===[network]
> So, I have compiled snort-18.104.22.168 with
> ./configure \
> --prefix=/usr \
> --sysconfdir=/etc \
> --mandir=/usr/man \
> --localstatedir=/var \
> --enable-pthread \
> --enable-linux-smp-stats \
> --enable-zlib \
> --enable-active-response --enable-react --enable-flexresp3
> I've read instructions from README.active
> preprocessor stream5_global: \
> track_tcp yes, \
> track_udp no, \
> track_icmp no, \
> max_tcp 262144, \
> max_udp 131072, \
> max_active_responses 4, \
> min_response_seconds 2
> # this was not required but I select only 80 port for better performance.
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
> overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
> ports server \
> 80 \
> , \
> ports both 80 3128 \
> config response: device eth4 dst_mac 00:1a:30:62:7c:40 attempts 2 # this is MAC of the default gateway
> I have test rule:
> drop tcp any any -> any 80 (msg:"TEST0";\
> I start snort like this:
> snort -q \
> --daq-var buffer_size_mb=128MB \
> --treat-drop-as-alert \
> -n 10000000 \
> -i eth0 \
> -l /var/log/snort \
> -K none \
> -c /etc/snort/snort.conf \
> -A console \
> -F 'bpf-file'
> bpf-file contains filter for test machine only. It looks like "vlan and host X.X.X.65". vlan because it selects 802.1q
> I start snort then I do "telnet somehost 80" and print TEST0. Somehost prints HTML page:
> <head><title>400 Bad Request</title></head>
> <body bgcolor="white">
> <center><h1>400 Bad Request</h1></center>
> and closes connection. Snort does not send anything but it writes alert messages to the console - snort can see
> traffic described in rule. I tried to start "tcpdump -ni eth4 'host X.X.X.65'" on snort machine - it does not send
> anything to X.X.X.65 at all.
> Active response can be workable or can be unworkable but snort should send some reset packets to X.X.X.65 but is does
> How to find out the reason on which snort does not send rst (or other) packets ? If snort in passive mode should not
> send any active response - why ? Documentation says that it should send rst in passive mode.
> "Configure the number of attempts to land a TCP RST within the session's current window (so that it is accepted by the
> receiving TCP). This sequence "strafing" is really only useful in passive mode." - from documentation
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
MT NOC division head
tel. 8 (3822) 555-797
More information about the Snort-users