Re: [Snort-sigs] RESP not working in rules

[Matt Kettler <mkettler () evi-inc com>]

Are you using a flexresp build of snort?
ie: if you downloaded a binary did you get a with-flexresp version, or if 
you built your own did you ./configure --enable-flexresp ?

if not, get a flexresp build if you want to use flexresp.

Since this is a general snort configuration problem, not an effort to 
develop rulesets, this really a snort-users question, not a snort-sigs, so 
I am CCing the response to that list instead of the sigs list. If you have 
further troubles, follow up there and include more info about what you did 
to install snort.

At 11:57 AM 4/20/2002 -0400, William Cameron wrote:
> Hello,
>
>   I am using snort 1.8.6 and I am having trouble using the "resp" keyword 
> to reset detected attacks. I get the following error when I try to run snort:
>
> [root@airwolf3 snort-1.8.6]# ./snort -dev -l ./log -s -h 192.168.0.0/24 -c 
> snort.conf
> Log directory = ./log
>
> Initializing Network Interface eth0
>
>         --== Initializing Snort ==--
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file snort.conf
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
> snort-sigs () lists sourceforge net
> snort-sigs () lists sourceforge net
> Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
> No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
>      Reassembly method: FAVOR_OLD
> Back Orifice detection brute force: DISABLED
> Using LOCAL time
>
> ERROR: .//web-iis.rules(7) => Unknown keyword "resp" in rule!
> Fatal Error, Quitting..
> [root@airwolf3 snort-1.8.6]#
>
>
> My web-iis.rules has entries like this:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS webdav file 
> lock attempt"; flags:A+; content:"LOCK "; offset:0; depth:5; 
> reference:bugtraq,2736; classtype:web-application-activity; sid:969; 
> rev:1; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
> .printer access"; uricontent:".printer"; nocase; flags:A+; 
> reference:cve,CAN-2001-0241; reference:arachnids,533; 
> classtype:web-application-activity; sid:971; rev:1; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida 
> attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; 
> reference:arachnids,552; classtype:web-application-attack; 
> reference:cve,CAN-2000-0071; sid:1243; rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida 
> access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; 
> classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; 
> rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq 
> attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; 
> reference:arachnids,553; classtype:web-application-attack; 
> reference:cve,CAN-2000-0071; sid:1244; rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq 
> access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; 
> classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1245; 
> rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp 
> access";flags: A+; uricontent:"%2e.asp"; nocase; reference:bugtraq,1814; 
> reference:cve,CAN-1999-0253; classtype:web-application-activity; sid:972; 
> rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc 
> attempt";flags: A+; content:"*.idc"; nocase; reference:bugtraq,1448; 
> reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:973; 
> rev:3; resp:rst_all;)
>
>
> Does anyone have any ideas why the "resp" keyword is not recognized ?
>
> Thanks,
> William Cameron
> wscamero () nc rr com
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users