Active Response

[Christopher Lowson]

Hey Everyone,

Is the version of snort installed with SO complied with the active-response?

http://manual.snort.org/node26.html

If not what would be the best way to enable this without causing issues to the system?

I'm looking to use the RST function to kill connections.

Thanks :)

[Matt Gregory]

Hi Christopher,

Snort is not configured for IPS mode and it is not supported here.

See:

http://code.google.com/p/security-onion/wiki/FAQ#Can_Security_Onion_run_in_IPS_mode

https://groups.google.com/forum/#!topic/security-onion/WyVxmfl0Qmw  # "Can Security Onion run in IPS mode?

Matt

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[Christopher Lowson]

Hey Matt,

Thanks I will take a look, I would argue we should support this.

[Doug Burks]

Hi Chris,

I *believe* Snort compiles with --enable-active-response by default:
http://seclists.org/snort/2011/q4/80

However, we don't have the manpower to support Snort active-response.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.

--
Doug Burks

[Christopher Lowson]

Hey Doug,

That's what I found too, active-response a-side, what would be the best way to recompile snort without causing configuration issues to the install of SO itself?

Going to stab a stab at this any ways just was looking for thoughts. If I figure anything out I will drop the information here for people.

[Doug Burks]

On Thu, Apr 17, 2014 at 5:13 PM, Christopher Lowson
<lowson...@gmail.com> wrote:
> Hey Doug,
>
> That's what I found too, active-response a-side, what would be the best way to recompile snort without causing configuration issues to the install of SO itself?

Sorry, we don't recommend or support this.


--
Doug Burks

[Christopher Lowson]

As an update if you would like to have an active response tho its not supported I have got it to work with suricata.

A simple edit of

/usr/sbin/nsm_sensor_ps-start
/usr/sbin/nsm_sensor_ps-restart

Removing:

--user $SENSOR_USER --group $SENSOR_GROUP

from line 490:

[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)"

Will stop suricata from dropping privs with this error:

23/10/2014 -- 01:15:40 - <Error> - [ERRCODE: SC_ERR_LIBNET11_INCOMPATIBLE_WITH_LIBCAP_NG(159)] - Libnet 1.1 is incompatible with POSIX based capabilities with privs dropping. For rejects to work, run as root/super user.

Haven't tried with snort just yet.