[Snort-users] about snort active responses in passive mode

chinghsiung chinghsiung at ...17093...
Sat Feb 14 02:01:12 EST 2015


Now my network environment, snort eth0 mirror cisco router traffic,
eth1will send active response and management
Here is my snort related config and snort rule.
At present, I hope my snort can appear set to block page when users
visit an unsafe site, before that I have to use vmware to reality in a
virtual environment for this feature, and is able to operate, but when I
snort build in the actual environment, snort alert and not only out of
the block page


snort.conf
========
REAMDE.active
config response: device eth1 attempts 20 config react: /etc/snort/block.html ..........
..........
.........
...........
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 25, \
   min_response_seconds 1

about rule
====
alert tcp any any -> any $HTTP_PORTS (msg:"aa710"; content:"x49.aa710.com"; sid:8;  react:block,msg;) alert tcp any any -> any $HTTP_PORTS (msg:"sex"; content:"www.sex.com"; sid:15;  react:block,msg;) alert tcp any any -> any $HTTP_PORTS (msg:"hilive"; content:"www.hilive.tv"; react:block,msg; sid:14; )

 



Al Lewis (allewi) 於 2015/2/14 04:30 寫道:
> Hello,
>
> 	Can you explain a little more what is not working? Are you saying that the tcp resets ARENT being sent? Or that the block pages ARENT being sent? 
>
> Sorry if I misunderstood your question.
>
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046 
> Phone: (office) 443.430.7112
> Email: allewi at ...589... 
>
>
> -----Original Message-----
> From: chinghsiung [mailto:chinghsiung at ...17093...] 
> Sent: Friday, February 13, 2015 10:58 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] about snort active responses in passive mode
>
> Hello ,now i have a problem with snort active responses is not work ,
>
> snort.conf
> ========
> REAMDE.active
> config response: device eth1 attempts 20 config react: /etc/snort/block.html ..........
> ..........
> .........
> ...........
> preprocessor stream5_global: track_tcp yes, \
>    track_udp yes, \
>    track_icmp no, \
>    max_tcp 262144, \
>    max_udp 131072, \
>    max_active_responses 25, \
>    min_response_seconds 1
>
>
> =============
> about rule:
> alert tcp any any -> any $HTTP_PORTS (msg:"aa710"; content:"x49.aa710.com"; sid:8;  react:block,msg;) alert tcp any any -> any $HTTP_PORTS (msg:"sex"; content:"www.sex.com"; sid:15;  react:block,msg;) alert tcp any any -> any $HTTP_PORTS (msg:"hilive"; content:"www.hilive.tv"; react:block,msg; sid:14; )
>
> i already ./configure --enable-sourcefire --enable-active-response
> --enable-flexresp3 --enable-react
> and make make install
>
>
> [switch port with mirrored 802.1q traffic]===[eth0 used for monitoring only]-[PC with snort]-[eth1 used for send tcp -rst (active response) and has network access]===[network]
>
>
> anyone know how to slove this problem ? i have not look up any block page or tcp -rst ? but  when i use vmware workstation  to run this active response it's work !!
>
> --
> Honeynet Taiwan Chapter
> Hsu, ChingHsiung(清雄)
> chinghsiung at ...17093...
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-- 
Honeynet Taiwan Chapter
Hsu, ChingHsiung(清雄)
chinghsiung at ...17093...





More information about the Snort-users mailing list