Re: Snort-3.0: WARNING: active responses disabled since DAQ can't inject packets.

["Al Lewis (allewi)" <allewi () cisco com>]

I believe you should be using afpacket (for linux) or ipfw ( for freebsd) for injection/resets.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Yuhui Lin [mailto:linyuhuihaha () gmail com]
Sent: Thursday, March 26, 2015 1:04 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snort-3.0: WARNING: active responses disabled since DAQ can't inject packets.


hi,

I was testing snort 3.0-alpha. While I execute the following command, I got a warning everytime.

command:
$SNORT3_PATH/bin/snort -c $SNORT3_PATH/etc/snort.lua -R $SNORT3_PATH/myRule.rules -l $SNORT3_PATH/logTest -r 
$SNORT3_PATH/myPcap.pcap -A alert_fast -n 100

warning:
WARNING: active responses disabled since DAQ can't inject packets.

I don’t understand why my DAQ can’t inject packets...

$SNORT3_PATH/bin/snort -c $SNORT3_PATH/etc/snort.lua -R $SNORT3_PATH/myRule.rules -l $SNORT3_PATH/logTest -r 
$SNORT3_PATH/myPcap.pcap -A alert_fast -n 100
--------------------------------------------------
o")~   Snort++ 3.0.0-a1-140
--------------------------------------------------
Loading /root/yuhui/snort3/etc/snort.lua:
          back_orifice
          classifications
          ftp_data
          stream_tcp
          ftp_server
          http_inspect
          telnet
          port_scan
          rpc_decode
          arp_spoof
          perf_monitor
          stream_icmp
          stream_ip
          stream
          ftp_client
          references
          stream_udp
          wizard
Finished /root/yuhui/snort3/etc/snort.lua.
Loading rules:
Loading /root/yuhui/snort3/myRule.rules:
Finished /root/yuhui/snort3/myRule.rules.
Finished rules.
--------------------------------------------------
rule counts
       total rules loaded: 10
               text rules: 10
            option chains: 10
            chain headers: 4
--------------------------------------------------
rule port counts
             tcp     udp    icmp      ip
     any       7       6       5       4
      nc       0       0       0       1
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] /root/yuhui/snort3/myPcap.pcap

WARNING: active responses disabled since DAQ can't inject packets.

Thank you,
Yuhui

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!