Re: problems with alert_smb and flexresp

[Martin Roesch <roesch () sourcefire com>]

On 3/15/02 4:41 AM, "counter.spy () gmx de" <counter.spy () gmx de> wrote:

> Hi folks,
> I hope this is no drinking question ;-)
>
> I was not able to get smbalerts and the resp: rst_all to work, although I
> think I have
> configured snort correctly:
> ./configure --with-mysql --enable-smbalerts --enable-flexresp; make
>
> and I think I can remember seeing the appropriate DENABLE variables floating
> over the screen during compile time.
>
> Maybe I have misunderstood something?
>
> Format
> alert_smb: <alert workstation filename>
> output alert_smb: workstation.list
>
> I have added to my snort.conf:
> output alert_smb: /root/snort/smbhosts

Is smbclient in the $PATH of the environment that Snort is running under?
If it's not it won't work.

> Now to the flexresp problem:
> I have no IP Address assigned to the sniffing interface. Maybe that is a
> reason for snort
> not being able to reset the connections. I cannot see any RST packets in
> tcpdump.
> My original idea was that libnet should be able to spoof IP Addresse
> regardless if the interface has an IP address assigned or not, but maybe I am
> wrong
> here?

I think you're wrong.  Try it with an IP on the interface and see if it
works.

     -Marty

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users