![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: [Snort-sigs] RESP not working in rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Sat, 20 Apr 2002 14:09:52 -0400
Are you using a flexresp build of snort?ie: if you downloaded a binary did you get a with-flexresp version, or if you built your own did you ./configure --enable-flexresp ?
if not, get a flexresp build if you want to use flexresp.Since this is a general snort configuration problem, not an effort to develop rulesets, this really a snort-users question, not a snort-sigs, so I am CCing the response to that list instead of the sigs list. If you have further troubles, follow up there and include more info about what you did to install snort.
At 11:57 AM 4/20/2002 -0400, William Cameron wrote:
Hello,I am using snort 1.8.6 and I am having trouble using the "resp" keyword to reset detected attacks. I get the following error when I try to run snort:[root@airwolf3 snort-1.8.6]# ./snort -dev -l ./log -s -h 192.168.0.0/24 -c snort.confLog directory = ./log Initializing Network Interface eth0 --== Initializing Snort ==-- Decoding Ethernet on interface eth0 Initializing Preprocessors! Initializing Plug-ins! Initializating Output Plugins! Parsing Rules file snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes snort-sigs () lists sourceforge net snort-sigs () lists sourceforge net Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Scan alerts: ACTIVE Log Flushed Streams: INACTIVE No arguments to stream4_reassemble, setting defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE Reassembly method: FAVOR_OLD Back Orifice detection brute force: DISABLED Using LOCAL time ERROR: .//web-iis.rules(7) => Unknown keyword "resp" in rule! Fatal Error, Quitting.. [root@airwolf3 snort-1.8.6]# My web-iis.rules has entries like this:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS webdav file lock attempt"; flags:A+; content:"LOCK "; offset:0; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:1; resp:rst_all;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .printer access"; uricontent:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241; reference:arachnids,533; classtype:web-application-activity; sid:971; rev:1; resp:rst_all;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1243; rev:2; resp:rst_all;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; rev:2; resp:rst_all;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1244; rev:2; resp:rst_all;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1245; rev:2; resp:rst_all;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp access";flags: A+; uricontent:"%2e.asp"; nocase; reference:bugtraq,1814; reference:cve,CAN-1999-0253; classtype:web-application-activity; sid:972; rev:2; resp:rst_all;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc attempt";flags: A+; content:"*.idc"; nocase; reference:bugtraq,1448; reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:973; rev:3; resp:rst_all;)Does anyone have any ideas why the "resp" keyword is not recognized ? Thanks, William Cameron wscamero () nc rr com _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Snort-sigs] RESP not working in rules Matt Kettler (Apr 20)