Snort mailing list archives

RE: Flexresp

From: Alwin Raymundo <alrayworld () yahoo com>
Date: Tue, 9 Apr 2002 05:11:19 -0700 (PDT)

Hi Paul,

In my case I installed snort in one of our four linux
box which is exposed to the internet. 

Every activity within is log in our intranet(linux)
with mysql,apache and php.  Doing so it will not
burden the sensor and the report is for internal use
only.

The bottom line I did not experience what you
experience regarding the refreshing of a webrowser.

Thanks for you suggestion.  I appreciated it.

Thanks again


--- "Sheahan, Paul (PCLN-NW)"
<Paul.Sheahan () priceline com> wrote:


What I did to test flexresp: I opened a web site in
my browser from my
desktop and made sure the site came up properly.
Then I created a test rule
using "resp: rst_all" to block access to the IP
address to that site. Then I
started Snort to use that rule and went back to my
browser and hit refresh.
You'll know the rule is working when your browser
appears to hang (the site
never refreshes and the progress bar at the bottom
of the browser crawls
very slowly....the site never comes up no matter how
long you wait). If you
stop Snort and hit refresh again, the site will
refresh properly.


Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com



-----Original Message-----
From: Alwin Raymundo [mailto:alrayworld () yahoo com]
Sent: Monday, April 08, 2002 3:49 PM
To: Ronneil Camara
Cc: Snort-users () lists sourceforge net
Subject: RE: [Snort-users] Flexresp


Hi Ronneil,

Thanks.  I will take note of that.

How about to test if this works or not?  where to
look? is it on log files or on my mysql.

Thanks again.


--- Ronneil Camara <ronneilc () remingtonltd com>
wrote:

Just one note, I had bad experience with
resp:rst_all;.
It should be resp: rst_all;. Take note of the

space.


It's weird but works.

-----Original Message-----
From: Phil Wood [mailto:cpw () lanl gov]
Sent: Monday, April 08, 2002 1:35 PM
To: Alwin Raymundo
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Flexresp


Well,

You could enable an ftp server on your snort

box.

Set up your flexresp rules to include the

address

of your snort box.

Start your snort running.
Call your friends and ask them to pull down

files

from your snort box.

Ask your friends to let you know how it went.

Later,

On Mon, Apr 08, 2002 at 10:50:24AM -0700, Alwin

Raymundo wrote:

Hi Guys,

I need your HELP!, I just recently recompiled

my

snort

with-mysql and flexresp.

Now my question is how do I know that flexresp

is

working, where do I look? that indicates the

flexresp

is working.

I use the resp:rst_all; in some of snort

rules.


Your quick response is highly appreciated.

Thanks in Advance.



=====
Alwin Raymundo

__________________________________________________

Do You Yahoo!?
Yahoo! Tax Center - online filing with

TurboTax

http://taxes.yahoo.com/

_______________________________________________

Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or

unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users



=====
Alwin Raymundo

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
Alwin Raymundo

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Flexresp Alwin Raymundo (Apr 08)
- Re: Flexresp Phil Wood (Apr 08)
  - Re: Flexresp Alwin Raymundo (Apr 08)
    - Re: Flexresp Phil Wood (Apr 08)
- <Possible follow-ups>
- RE: Flexresp Ronneil Camara (Apr 08)
  - RE: Flexresp Alwin Raymundo (Apr 08)
- RE: Flexresp Ronneil Camara (Apr 08)
- Re: Flexresp counter . spy (Apr 08)
- RE: Flexresp Sheahan, Paul (PCLN-NW) (Apr 08)
  - RE: Flexresp Alwin Raymundo (Apr 09)
- RE: Flexresp Ronneil Camara (Apr 08)
- Re: Flexresp Alwin Raymundo (Apr 09)