Snort mailing list archives
Re: about snort active responses in passive mode
From: chinghsiung <chinghsiung () honeynet org tw>
Date: Sat, 14 Feb 2015 15:01:12 +0800
Now my network environment, snort eth0 mirror cisco router traffic, eth1will send active response and management Here is my snort related config and snort rule. At present, I hope my snort can appear set to block page when users visit an unsafe site, before that I have to use vmware to reality in a virtual environment for this feature, and is able to operate, but when I snort build in the actual environment, snort alert and not only out of the block page snort.conf ======== REAMDE.active config response: device eth1 attempts 20 config react: /etc/snort/block.html .......... .......... ......... ........... preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 25, \ min_response_seconds 1 about rule ==== alert tcp any any -> any $HTTP_PORTS (msg:"aa710"; content:"x49.aa710.com"; sid:8; react:block,msg;) alert tcp any any -> any $HTTP_PORTS (msg:"sex"; content:"www.sex.com"; sid:15; react:block,msg;) alert tcp any any -> any $HTTP_PORTS (msg:"hilive"; content:"www.hilive.tv"; react:block,msg; sid:14; ) Al Lewis (allewi) 於 2015/2/14 04:30 寫道:
Hello,
Can you explain a little more what is not working? Are you saying that the tcp resets ARENT being sent? Or that
the block pages ARENT being sent?
Sorry if I misunderstood your question.
Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com
-----Original Message-----
From: chinghsiung [mailto:chinghsiung () honeynet org tw]
Sent: Friday, February 13, 2015 10:58 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] about snort active responses in passive mode
Hello ,now i have a problem with snort active responses is not work ,
snort.conf
========
REAMDE.active
config response: device eth1 attempts 20 config react: /etc/snort/block.html ..........
..........
.........
...........
preprocessor stream5_global: track_tcp yes, \
track_udp yes, \
track_icmp no, \
max_tcp 262144, \
max_udp 131072, \
max_active_responses 25, \
min_response_seconds 1
=============
about rule:
alert tcp any any -> any $HTTP_PORTS (msg:"aa710"; content:"x49.aa710.com"; sid:8; react:block,msg;) alert tcp any
any -> any $HTTP_PORTS (msg:"sex"; content:"www.sex.com"; sid:15; react:block,msg;) alert tcp any any -> any
$HTTP_PORTS (msg:"hilive"; content:"www.hilive.tv"; react:block,msg; sid:14; )
i already ./configure --enable-sourcefire --enable-active-response
--enable-flexresp3 --enable-react
and make make install
[switch port with mirrored 802.1q traffic]===[eth0 used for monitoring only]-[PC with snort]-[eth1 used for send tcp
-rst (active response) and has network access]===[network]
anyone know how to slove this problem ? i have not look up any block page or tcp -rst ? but when i use vmware
workstation to run this active response it's work !!
--
Honeynet Taiwan Chapter
Hsu, ChingHsiung(清雄)
chinghsiung () honeynet org tw
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Honeynet Taiwan Chapter Hsu, ChingHsiung(清雄) chinghsiung () honeynet org tw ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- about snort active responses in passive mode chinghsiung (Feb 13)
- Re: about snort active responses in passive mode Al Lewis (allewi) (Feb 13)
- Re: about snort active responses in passive mode chinghsiung (Feb 13)
- Re: about snort active responses in passive mode Al Lewis (allewi) (Feb 13)