Snort mailing list archives
Resp/React Firing Problem/Bug
From: MASM <mrclst () webrain pt>
Date: Tue, 18 Jun 2002 18:06:20 +0100
Hi, I'm doing some tests with the 1.8.6 snort version (the stable one) with FlexResp (that needs some testing, I know). I wrote a rule (in local.rules) similar to one of the default except on the content string and with the resp:rst_all keyword: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET roote login"; content:"login\: roote"; flags: A+; classtype:suspicious-login; sid:719000; rev:2; resp:rst_all;) What happened was that after I do 'login: roote' the connection is droppedright after the Login incorrect message. But the same happens if I do 'login:
xpto', or anything else that causes the match of the default rule: alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect"; content:"Login incorrect"; flags:A+; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:5;) After enabling debug, analysing it and some digging on the code I found out that the Resp or React keyword associated functions are not attached to the OTN (option tree node) of the rule (like other keywords) but they are attached to the RTN (rule tree node) of the rule. Which means (I suppose)that all the rules with the same header will have the response triggered and
will have their connections dropped. I found in the debug output that theprevious default rule is on the same RTN (among others) of the one created by
me. What is the reason for this implementation option, and how can I solve this problem (bug or not)?In the meanwhile I found out another strange small bug with the rev keyword,
without it the rule does not respond with rst. These are problems only with the response feature, alerts are just fine! Hoping for an answer, MASM ---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Resp/React Firing Problem/Bug MASM (Jun 18)