[Snort-users] about snort active responses in passive mode

chinghsiung chinghsiung at ...17093...
Fri Feb 13 10:58:13 EST 2015

Hello ,now i have a problem with snort active responses is not work ,

config response: device eth1 attempts 20
config react: /etc/snort/block.html
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 25, \
   min_response_seconds 1

about rule:
alert tcp any any -> any $HTTP_PORTS (msg:"aa710";
content:"x49.aa710.com"; sid:8;  react:block,msg;)
alert tcp any any -> any $HTTP_PORTS (msg:"sex"; content:"www.sex.com";
sid:15;  react:block,msg;)
alert tcp any any -> any $HTTP_PORTS (msg:"hilive";
content:"www.hilive.tv"; react:block,msg; sid:14; )

i already ./configure --enable-sourcefire --enable-active-response
--enable-flexresp3 --enable-react
and make make install

[switch port with mirrored 802.1q traffic]===[eth0 used for monitoring
only]-[PC with snort]-[eth1 used for send tcp -rst (active response)
and has network access]===[network]

anyone know how to slove this problem ? i have not look up any block
page or tcp -rst ? but  when i use vmware workstation  to run this
active response it's work !!

Honeynet Taiwan Chapter
Hsu, ChingHsiung(清雄)
chinghsiung at ...17093...

More information about the Snort-users mailing list