Snort mailing list archives
Snort 2.9.0.4 inline active response on Centos 5.5
From: Risto Vaarandi <risto.vaarandi () seb ee>
Date: Mon, 07 Mar 2011 13:15:25 +0200
hi all, I have successfully built snort 2.9.0.4 on centos5.5 with all DAQ modules, and ipq and nfw modules seem to work nicely in both passive and inline mode. However, I have discovered that features which are related to active response don't work - the 'reject' action works like 'drop' and doesn't send TCP RST packet to attacker, and the 'resp' and 'react' rule options are not doing anything useful either. Interestingly, when shut down, Snort reports to have injected some packets into the network. I have built snort with the following options: --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 and also, I have tried to omit some obviously not relevant options, but in all cases the problem does not go away (I am running my snort inside vbox virtual machine). Is active response known to be broken on Centos/RHEL 5? BR, risto ------------------------------------------------------------------------------ What You Don't Know About Data Connectivity CAN Hurt You This paper provides an overview of data connectivity, details its effect on application quality, and explores various alternative solutions. http://p.sf.net/sfu/progress-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.9.0.4 inline active response on Centos 5.5 Risto Vaarandi (Mar 07)