[Snort-users] snort react action

free free.aaa at ...11827...
Wed Apr 6 11:08:15 EDT 2016


Albert,

there are ethernet interfaces.
eth1 - which get mirrored traffic with no IP
eth0 - normal ipv4 interface through which snort must send RESET or REACT.


06.04.2016 17:58, free пишет:
> Albert,
> thanks for response.
>> # snort -V
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.9.8.0 GRE (Build 229)
>>    ''''    By Martin Roesch & The Snort Team: 
>> http://www.snort.org/contact#team
>>            Copyright (C) 2014-2015 Cisco and/or its affiliates. All 
>> rights reserved.
>>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>>            Using libpcap version 1.6.2
>>            Using PCRE version: 8.35 2014-04-04
>>            Using ZLIB version: 1.2.8
>
> start command:
>> # /usr/local/bin/snort -D -q -N -m 027 -d -l /var/log/snort -c 
>> /etc/snort/snort.conf -i eth1
>
> rule (only 1 rule) and config attached.
>
>
> 06.04.2016 17:47, Al Lewis (allewi) пишет:
>> Hello,
>>
>>     What version of snort are you using?
>>     What rule are you using?
>
>>     What command are you using to start snort?
>>     Do you have a config file you can share?
>>
>> Need a little more information sorry.
>>
>> Albert Lewis
>> QA Software Engineer
>> SOURCEfire, Inc. now part of Cisco
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046
>> Phone: (office) 443.430.7112
>> Email: allewi at ...589...
>>
>>
>> -----Original Message-----
>> From: free [mailto:free.aaa at ...11827...]
>> Sent: Wednesday, April 06, 2016 3:28 AM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] snort react action
>>
>> Hi all!
>> I made some rules with react action in them. With afpacket daq mode 
>> all is working fine, I see hijacked responses on the client. But when 
>> I switch daq to pfring react stops working. In logs I see that snort 
>> is matching the rule, but no action... Any help?
>>
>> Thanks in advance!
>> Best regards,
>> Alex
>>
>> ------------------------------------------------------------------------------ 
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest 
>> Snort news!
>





More information about the Snort-users mailing list