Snort mailing list archives
Re: Snort+flexresp
From: Sonika Malhotra <sonikam () magnum barc ernet in>
Date: Thu, 14 Mar 2002 16:03:30 +0530
"Bamm (Robert) Visscher" wrote:
If you did not observe a RST packet at all, then the rule you created did not trigger correctly or at all. Once a packet matches a rule with a resp: directive, the appropriate response packet (rst or ICMP) is going to be sent. Whether or not the response will be effective, depends on the accuracy of the snort crafted response packet(s). FWIW, if you are trying to create a rule to kill HTTP connections on detection of "cmd.exe" (or a content rule of any type in HTTP), then forget it. It will rarely be effective.
Please elaborate on this, why the resp' option works for rules of type alert tcp any any-> x.x.x.x pp (resp:rst_all; msg:"aiiee";) and not in general for pattern matching rules. thanx . sm
Bammkkkk On Wed, 2001-03-14 at 08:56, skill2die4 wrote:Hi: I was working on flexREsp in my lab and the set-up was : ---------- ---------- - compA - +++++++++++++ - compB - ---------- ---------- +++ = crossover compA = running snort compB = testing machine So, in my case even though FLEXRESP might be installed properly; it wasn't replying to packets with a RST packet (as per the rules that I created) due to time frame given to snort to create the packet(as per my understanding now...thanks to ROEL) Questions: ---------- 1. Was it was because the compA replied before snort could craft the reply packet? 2. Even if so, I should have seen at least a single RST(even though with delayed sequence number) packet ? 3. Since I didn't saw even a single RST packet over the network, should I ASSume that the problem lies with my installation or rulesets ? 4. How can I create network DELAYS in the Lab environment? [** MOST IMPORTANT **] Thanks! Skill2die4------------------------------------------------------------------------ Name: signature.asc signature.asc Type: application/pgp-signature Description: This is a digitally signed message part
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort+flexresp Sonika Malhotra (Mar 11)
- Re: Snort+flexresp Roelof JT Jonkman (Mar 11)
- Re: Snort+flexresp Sonika Malhotra (Mar 12)
- RE: Snort+flexresp skill2die4 (Mar 13)
- RE: Snort+flexresp Bamm (Robert) Visscher (Mar 13)
- Re: Snort+flexresp Sonika Malhotra (Mar 14)
- Re: Snort+flexresp Sam (Mar 14)
- Re: Snort+flexresp Bamm Visscher (Mar 14)
- Re: Snort+flexresp Jeff Nathan (Mar 25)
- Re: Snort+flexresp Bamm Visscher (Mar 26)
- Re: Snort+flexresp Jeff Nathan (Mar 26)
- Re: Snort+flexresp Sonika Malhotra (Mar 12)
- Re: Snort+flexresp Roelof JT Jonkman (Mar 11)
- Re: Snort+flexresp Roelof JT Jonkman (Mar 13)
- <Possible follow-ups>
- RE: Snort+flexresp Ronneil Camara (Mar 26)
- Re: Snort+flexresp Bamm Visscher (Mar 26)
- Re: Snort+flexresp Jeff Nathan (Mar 27)
- RE: Snort+flexresp Bamm Visscher (Mar 27)