Snort mailing list archives
Re: problems with alert_smb and flexresp
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 15 Mar 2002 09:40:17 -0500
On 3/15/02 4:41 AM, "counter.spy () gmx de" <counter.spy () gmx de> wrote:
Hi folks, I hope this is no drinking question ;-) I was not able to get smbalerts and the resp: rst_all to work, although I think I have configured snort correctly: ./configure --with-mysql --enable-smbalerts --enable-flexresp; make and I think I can remember seeing the appropriate DENABLE variables floating over the screen during compile time. Maybe I have misunderstood something? Format alert_smb: <alert workstation filename> output alert_smb: workstation.list I have added to my snort.conf: output alert_smb: /root/snort/smbhosts
Is smbclient in the $PATH of the environment that Snort is running under? If it's not it won't work.
Now to the flexresp problem: I have no IP Address assigned to the sniffing interface. Maybe that is a reason for snort not being able to reset the connections. I cannot see any RST packets in tcpdump. My original idea was that libnet should be able to spoof IP Addresse regardless if the interface has an IP address assigned or not, but maybe I am wrong here?
I think you're wrong. Try it with an IP on the interface and see if it works. -Marty -- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problems with alert_smb and flexresp counter . spy (Mar 15)
- Re: problems with alert_smb and flexresp Martin Roesch (Mar 15)
- <Possible follow-ups>
- Re: problems with alert_smb and flexresp counter . spy (Mar 18)