[Snort-users] Snort-3.0: WARNING: active responses disabled since DAQ can't inject packets.

Russ rucombs at ...589...
Thu Mar 26 13:23:32 EDT 2015



On 3/26/15 1:04 PM, Yuhui Lin wrote:
>>
>>
>> hi,
>>
>> I was testing snort 3.0-alpha. While I execute the following command, 
>> I got a warning everytime.
>>
>> command:
>>
>> $SNORT3_PATH/bin/snort -c $SNORT3_PATH/etc/snort.lua -R 
>> $SNORT3_PATH/myRule.rules -l $SNORT3_PATH/logTest -r 
>> $SNORT3_PATH/myPcap.pcap -A alert_fast -n 100
>>
>>
>> warning:
>> WARNING: active responses disabled since DAQ can't inject packets.
>>
>> I don’t understand why my DAQ can’t inject packets...
There are 2 things going on ... first, the pcap DAQ is for readback 
only.  It does not support packet injection.  Second, active response 
modules were partly enabling if loaded instead of upon configuration.  A 
fix for that was push to github earlier today.
>>
>>
>> $SNORT3_PATH/bin/snort -c $SNORT3_PATH/etc/snort.lua -R 
>> $SNORT3_PATH/myRule.rules -l $SNORT3_PATH/logTest -r 
>> $SNORT3_PATH/myPcap.pcap -A alert_fast -n 100
>> --------------------------------------------------
>> o")~ Snort++ 3.0.0-a1-140
>> --------------------------------------------------
>> Loading /root/yuhui/snort3/etc/snort.lua:
>> back_orifice
>> classifications
>> ftp_data
>> stream_tcp
>> ftp_server
>> http_inspect
>> telnet
>> port_scan
>> rpc_decode
>> arp_spoof
>> perf_monitor
>> stream_icmp
>> stream_ip
>> stream
>> ftp_client
>> references
>> stream_udp
>> wizard
>> Finished /root/yuhui/snort3/etc/snort.lua.
>> Loading rules:
>> Loading /root/yuhui/snort3/myRule.rules:
>> Finished /root/yuhui/snort3/myRule.rules.
>> Finished rules.
>> --------------------------------------------------
>> rule counts
>>        total rules loaded: 10
>>   text rules: 10
>> option chains: 10
>> chain headers: 4
>> --------------------------------------------------
>> rule port counts
>> tcp     udp    icmp      ip
>>      any   7       6       5       4
>>       nc   0       0       0       1
>> --------------------------------------------------
>> pcap DAQ configured to read-file.
>> Commencing packet processing
>> ++ [0] /root/yuhui/snort3/myPcap.pcap
>>
>> WARNING: active responses disabled since DAQ can't inject packets.
>>
>> Thank you,
>> Yuhui
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150326/600241b4/attachment.html>


More information about the Snort-users mailing list