Snort mailing list archives
Re: problems with alert_smb and flexresp
From: counter.spy () gmx de
Date: Mon, 18 Mar 2002 18:00:22 +0100 (MET)
Hello all, just wanted to post that Flexresp now works great for me (many thanks Martin!). I have tested the "resp: rst_all" with my own SubSeven rules and it worked like a charm. Gee, this is really impressive! Cool feature, although I know it's use is not recommended by most IDS specialists. SMBalerts still don't work. I have checked the PATH variable and found it was okay. Now I used tcpdump in order to see if snort sends any Netbios requests, and yes, it does. So the problem is not with snort, I think, but with my misconfiguration. The SMB host replies with "netbiosname not present" and "connection refused". Maybe someone could give me a hint on which syntax to use in the smbhosts file? Is the syntax similar to the lmhosts file of Windows boxes? I have tried several variants but none of them worked. Maybe someone can give me a sample entry for the snort smb hosts list. Thanks again! Greetings, D.Liesen ----------------------original message------------------------------------ On 3/15/02 4:41 AM, "counter.spy () gmx de" <counter.spy () gmx de> wrote:
Hi folks, I hope this is no drinking question ;-) I was not able to get smbalerts and the resp: rst_all to work, although I think I have configured snort correctly: ./configure --with-mysql --enable-smbalerts --enable-flexresp; make and I think I can remember seeing the appropriate DENABLE variables
floating
over the screen during compile time. Maybe I have misunderstood something? Format alert_smb: <alert workstation filename> output alert_smb: workstation.list I have added to my snort.conf: output alert_smb: /root/snort/smbhosts
Is smbclient in the $PATH of the environment that Snort is running under? If it's not it won't work.
Now to the flexresp problem: I have no IP Address assigned to the sniffing interface. Maybe that is a reason for snort not being able to reset the connections. I cannot see any RST packets in tcpdump. My original idea was that libnet should be able to spoof IP Addresse regardless if the interface has an IP address assigned or not, but maybe I
am
wrong here?
I think you're wrong. Try it with an IP on the interface and see if it works. -Marty -- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problems with alert_smb and flexresp counter . spy (Mar 15)
- Re: problems with alert_smb and flexresp Martin Roesch (Mar 15)
- <Possible follow-ups>
- Re: problems with alert_smb and flexresp counter . spy (Mar 18)