[Snort-users] snort does not send active response in passive mode

Anton warm at ...2377...
Fri Sep 20 01:02:22 EDT 2013


Hmm ... 

"--daq dump" with commented out string "config response ..." produces inline-out.pcap with [RST,ACK]. I tried to write
dump with out running snort and did my test - there was no any RST in this case -- snort works and wants to produce RST
packet but RST for some reason does not leave snort host.

What can be wrong with "config response: device eth4 dst_mac 00:1a:30:62:7c:40" ?

May be there are some non-obvious requirements to the system running snort for active response to work ?

I mean kernel version or network card or some thing else. I use Linux kernel 2.6.16.16 -- yes, this is very old machine
and I can not upgrade it without significant reason. Can the old kernel be the reason why active response does not send
packets ?

And also ethernet driver is old too:

# ethtool -i eth4
driver: e1000
version: 6.3.9-k4-NAPI
firmware-version: N/A
bus-info: 0000:05:03.0

... all the software on this machine is old :-). I only compile new versions of needful software like snort, tcpdump,
nmap.

What is the most likely cause of active response does not sends packets ?



On Fri, 20 Sep 2013 01:25:05 +0700
Russ Combs <rcombs at ...1935...> wrote:

> You can start by using the dump DAQ to see that you are alerting and generating responses.  Comment out the "config
> response" line and add "--daq dump" to your Snort command line.  Then do your test and check that the resulting
> inline-out.pcap has your response(s) as expected.
> 
> If that is working, it is a matter of getting your config response to work correctly.
> 
> Hope that helps.
> Russ
> 
> 
> On Thu, Sep 19, 2013 at 4:07 AM, Anton <warm at ...2377...> wrote:
> Good day.
> 
> I'm trying to set up snort with active response in passive mode. Here is my setup:
> 
> 
> [switch port with mirrored 802.1q traffic]===[eth0 used for monitoring only]-[PC with snort]-[eth4 used for management
> and has network access]===[network]
> 
> So, I have compiled snort-2.9.5.5 with
> 
> ./configure \
>   --prefix=/usr \
>   --sysconfdir=/etc \
>   --mandir=/usr/man \
>   --localstatedir=/var \
>   --enable-pthread \
>   --enable-linux-smp-stats \
>   --enable-zlib \
>   --enable-active-response --enable-react --enable-flexresp3
> 
> 
> I've read instructions from README.active
> 
> preprocessor stream5_global: \
>    track_tcp yes, \
>    track_udp no, \
>    track_icmp no, \
>    max_tcp 262144, \
>    max_udp 131072, \
>    max_active_responses 4, \
>    min_response_seconds 2
> 
> ...
> # this was not required but I select only 80 port for better performance.
> preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
>    overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
>     ports server \
>         80 \
>         , \
>     ports both 80 3128 \
>         8080
> ...
> 
> config response: device eth4 dst_mac 00:1a:30:62:7c:40 attempts 2 # this is MAC of the default gateway
> 
> 
> I have test rule:
> 
> drop tcp any any -> any 80 (msg:"TEST0";\
>         content:"TEST0";\
>         resp:reset_source;\
>         sid:1;)
> 
> I start snort like this:
> 
> snort   -q \
>         --daq-var buffer_size_mb=128MB \
>         --treat-drop-as-alert \
>         -n 10000000 \
>         -i eth0 \
>         -l /var/log/snort \
>         -K none \
>         -c /etc/snort/snort.conf \
>         -A console \
>         -F 'bpf-file'
> 
> bpf-file contains filter for test machine only. It looks like "vlan and host X.X.X.65". vlan because it selects 802.1q
> frames.
> 
> I start snort then I do "telnet somehost 80"  and print TEST0. Somehost prints HTML page:
> 
> <html>
> <head><title>400 Bad Request</title></head>
> <body bgcolor="white">
> <center><h1>400 Bad Request</h1></center>
> <hr><center>nginx</center>
> </body>
> </html>
> 
> and closes connection. Snort does not send anything but it writes alert messages to the console - snort can see
> traffic described in rule. I tried to start "tcpdump -ni eth4 'host X.X.X.65'" on snort machine - it does not send
> anything to X.X.X.65 at all.
> 
> Active response can be workable or can be unworkable but snort should send some reset packets to X.X.X.65 but is does
> not.
> 
> How to find out the reason on which snort does not send rst (or other) packets ? If snort in passive mode should not
> send any active response - why ? Documentation says that it should send rst in passive mode.
> 
> "Configure the number of attempts to land a TCP RST within the session's current window (so that it is accepted by the
> receiving TCP). This sequence "strafing" is really only useful in passive mode." - from documentation
> (http://manual.snort.org/node26.html).
> 
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 


-- 
Anton [WARM-RIPE]
MT NOC division head
tel. 8 (3822) 555-797



More information about the Snort-users mailing list