Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flex but no response ....

From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 15 Jan 2002 15:22:04 -0800
You might want to try sniffing the line with tcpdump or snort -v to see
if the spoofed ICMP message is actually being sent.  Most people using
flex resp on a speedy network (I.E, one that does not have the latency
inherent on the Internet) will find that while the spoofed packet is
being created, the actual one makes it back to the sender.  There's more
on this in the archives.

HTH,

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey () SiliconDefense com
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

skill2die4 wrote:


+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort and related utilities version numbers :

libnet-1.0.2a-1snort.i386.rpm
libnet.tar.gz (1.0.2a)
libpcap (0.6)
snort -1.8.3 (built 88) [configured option=flexResp]
snort-plain+flexresp.1.8.3-5-i386.rpm
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

scenario :
-----------
10.0.0.3 --- pings to ---> 10.0.0.3

rule file ::
--------------
flexRESP.rules
alert icmp 10.0.0.3 any ---> any any (msg:"Not allowed";resp:icmp_host;)

snort activation
-------------------
snort -A full -c flexRESP.rules

Observation
-------------
a. snort intialization reads -->

    1 snort rules read ....
    1 option chain linked into 1 chain header
    0 dynamic rules

b. the PING from 10.0.0.3 works and gets back a result from 10.0.0.2;
   snort only WRITES to the ALERT file

 I tried using the REACT with "TCP && BLOCK , MSG" options and telnet
 from 10.0.0.3,the connect was refused ... however i didnt got any
 VISIBLE BLOCK MESSAGE from the other side.

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: