Snort mailing list archives
Re: Resp: and react: don't work on w2k and XP ?
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 19 Aug 2002 21:24:16 -0400
At 02:09 AM 8/20/2002 +0200, Troll wrote:
Thank you Matt Kettler that is working now snort knows about resp: but know the next problem will be occured An error will be send to me and snort dieing every time AppName: snort.exe AppVer: 0.0.0.0 ModName: packet.dll ModVer: 3.0.0.13 Offset: 00001d7d and I don't know if its right but my Task-Manager shows me several new Programms (don't know realy couse winpcap or snort) phfqk.exe , snixmb.exe, phcop.exe ... some more but back to my dieing snort couse failure in packet.dll don't know its raely an failure in snort or in winpcap or in my rules
First, really recommend trying to get a simple snort config working first, using the default ruleset, and very limited command line parameters.. *then* once you get snort working, start doing a custom config.. It takes a lot of the questions out like "is it my ruleset or something else?"
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"file-finder outa there1a"; flags: A+; content:"file-"; nocase; classtype:string-detect; sid:2000000; rev:1; resp: rst_all; )
Troubles aside, that's a dangerously broad rule.. are you really sure you want to attempt to terminate *any* tcp connection on any port containing the string "file-"? (note, this would include the pop3 or smtp session transferring this email and a LOT of other web and ftp traffic will match as well).
is one of my rules .. they shoud block packets that contains 'file-'
Erm, flexresp won't exactly block the packets.. it will attempt to close the TCP connection containing it via reset-spoofing. Also be aware that a skilled attacker can bypass flexresp most of the time without a whole lot of effort. Don't treat flexresp as a firewall or refer to it as blocking anything... I know it's a pedantic difference, but once you start saying block, people start thinking of it as if it provided the security of a firewall.
I startet snort with the snort panal witch set folloing to start snort E:\Snort\snort.exe -l "E:\Snort\log" -c "E:\Snort\edonkey.rules" -P 500 -a -e -o -d -A full
Why do you have -P 500 specified? It's quite unusual to use this parameter at all, much less with such a short length, the default one is probably a much better idea, where snort will try to capture the entire packet (equivalent to -P 1460)
also do you really need -a and -e?
can some one tell me if its realy an failure in packet.dll or if its me or is it XP ? my choice of installing snort for win32 is know only flexresp greetz Troll
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snortcenter faq/mailing list anywhere? peterm (Aug 16)
- Resp: and react: don't work on w2k and XP ? Troll (Aug 17)
- Re: Resp: and react: don't work on w2k and XP ? Matt Kettler (Aug 19)
- Re: Resp: and react: don't work on w2k and XP ? Troll (Aug 19)
- Re: Resp: and react: don't work on w2k and XP ? Matt Kettler (Aug 19)
- Re: Resp: and react: don't work on w2k and XP ? Troll (Aug 19)
- Re: Resp: and react: don't work on w2k and XP ? Matt Kettler (Aug 19)
- Re: Resp: and react: don't work on w2k and XP ? Matt Kettler (Aug 19)
- Resp: and react: don't work on w2k and XP ? Troll (Aug 17)
- RE: Problem with mysql? Lucretia Enterprises (Aug 27)
- RE: Problem with mysql? Srijith.K (Aug 27)
- RE: Problem with mysql? James Friesen (Aug 28)