[Snort-users] Snort-3.0: WARNING: active responses disabled since DAQ can't inject packets.

Al Lewis (allewi) allewi at ...589...
Thu Mar 26 13:11:30 EDT 2015


I believe you should be using afpacket (for linux) or ipfw ( for freebsd) for injection/resets.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Yuhui Lin [mailto:linyuhuihaha at ...11827...]
Sent: Thursday, March 26, 2015 1:04 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort-3.0: WARNING: active responses disabled since DAQ can't inject packets.


hi,

I was testing snort 3.0-alpha. While I execute the following command, I got a warning everytime.

command:
$SNORT3_PATH/bin/snort -c $SNORT3_PATH/etc/snort.lua -R $SNORT3_PATH/myRule.rules -l $SNORT3_PATH/logTest -r $SNORT3_PATH/myPcap.pcap -A alert_fast -n 100

warning:
WARNING: active responses disabled since DAQ can't inject packets.

I don’t understand why my DAQ can’t inject packets...

$SNORT3_PATH/bin/snort -c $SNORT3_PATH/etc/snort.lua -R $SNORT3_PATH/myRule.rules -l $SNORT3_PATH/logTest -r $SNORT3_PATH/myPcap.pcap -A alert_fast -n 100
--------------------------------------------------
o")~   Snort++ 3.0.0-a1-140
--------------------------------------------------
Loading /root/yuhui/snort3/etc/snort.lua:
          back_orifice
          classifications
          ftp_data
          stream_tcp
          ftp_server
          http_inspect
          telnet
          port_scan
          rpc_decode
          arp_spoof
          perf_monitor
          stream_icmp
          stream_ip
          stream
          ftp_client
          references
          stream_udp
          wizard
Finished /root/yuhui/snort3/etc/snort.lua.
Loading rules:
Loading /root/yuhui/snort3/myRule.rules:
Finished /root/yuhui/snort3/myRule.rules.
Finished rules.
--------------------------------------------------
rule counts
       total rules loaded: 10
               text rules: 10
            option chains: 10
            chain headers: 4
--------------------------------------------------
rule port counts
             tcp     udp    icmp      ip
     any       7       6       5       4
      nc       0       0       0       1
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] /root/yuhui/snort3/myPcap.pcap

WARNING: active responses disabled since DAQ can't inject packets.

Thank you,
Yuhui

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150326/92275707/attachment.html>


More information about the Snort-users mailing list