Snort mailing list archives
flexresp in snort (openbsd 3.0)
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Fri, 21 Dec 2001 19:30:03 -0600
Hi everyone, Just to let you know guys, my resp command works now. It's quite cool. I just don't know if it misses some traffic. How do we know, btw, if our snort misses some traffic? Here is what I did: I created scripts/root.exe on my apache. I tried a GET request of /scripts/root.exe to my apache web server and below is what I got. Isn't it cool!?! :-) 19:07:36.221195 0:d0:b7:83:61:fe 0:60:8:13:40:39 ip 60: 65.192.117.72.www > 12-248-255-47.client.attbi.com.47289: . ack 26 win 17520 (DF) 19:07:36.340668 0:80:5f:15:b8:dc 0:d0:b7:83:61:fe ip 54: 12-248-255-47.client.attbi.com.47289 > 65.192.117.72.www: R 1:1(0) ack 26 win 0 19:07:36.340742 0:80:5f:15:b8:dc 0:d0:b7:83:61:fe ip 54: 12-248-255-47.client.attbi.com.47289 > 65.192.117.72.www: R 1:1(0) ack 26 win 0 So, my question now is, will snort support tearing down of connections(i.e. tcp reset) on a stealth interface? Don't tell me that it supports it. RESP doesn't do anything at all if your interface doesn't have an ip address. Someone on the mailing list told me that it's possible but I would just like to correct that it's not working. Anyways, I usually download some scripts before at "hack co za" to test my servers but that site won't be up anymore. Do you guys know of any other sites that does have programs/utilities/scripts that I can download other than packetstorm or securityfocus? Now, my next experiment will be spade. How does spade benefit us other than how we normally configure snort? Thanks everyone for the help. Neil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp in snort (openbsd 3.0) Ronneil Camara (Dec 23)
- About Spade (was Re: flexresp in snort (openbsd 3.0)) James Hoagland (Dec 26)