Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Resp/React Firing Problem/Bug

From: MASM <mrclst () webrain pt>
Date: Tue, 18 Jun 2002 18:06:20 +0100

Hi,

I'm doing some tests with the 1.8.6 snort version (the stable one) with
FlexResp (that needs some testing, I know).
I wrote a rule (in local.rules) similar to one of the default except on the
content string and with the resp:rst_all keyword:

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET roote login";
content:"login\: roote"; flags: A+; classtype:suspicious-login; sid:719000;
rev:2; resp:rst_all;)

What happened was that after I do 'login: roote' the connection is dropped
right after the Login incorrect message. But the same happens if I do 'login: 
xpto', or anything else that causes the match of the default rule:

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect";
content:"Login incorrect"; flags:A+; reference:arachnids,127;
classtype:bad-unknown; sid:718;  rev:5;)

After enabling debug, analysing it and some digging on the code I found out
that the Resp or React keyword associated functions are not attached to the
OTN (option tree node) of the rule (like other keywords) but they are
attached to the RTN (rule tree node) of the rule. Which means (I suppose)
that all the rules with the same header will have the response triggered and 
will have their connections dropped. I found in the debug output that the
previous default rule is on the same RTN (among others) of the one created by 
me.

What is the reason for this implementation option, and how can I solve this
problem (bug or not)?
In the meanwhile I found out another strange small bug with the rev keyword, 
without it the rule does not respond with rst.

These are problems only with the response feature, alerts are just fine!

       Hoping for an answer,

               MASM


----------------------------------------------------------------------------
                  Bringing you mounds of caffeinated joy
                  >>>     http://thinkgeek.com/sf    <<<

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: