Snort mailing list archives
Re: flexresp2 not working in snort 2.0.2
From: Jeff Nathan <jeff () snort org>
Date: Thu, 2 Oct 2003 03:00:47 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the bug report, I'll take a look. I'm glad to see at least one person using sp_respond2. - -Jeff On Wednesday, October 1, 2003, at 06:04 AM, Nerijus Krukauskas wrote:
Hi, I've patched freshly extracted snort-2.0.2.tar.gz with sp_respond2.diff.gz according to instructions found in sp_respond2.readme. Then I built snort with "./configure --enable-linux-smp-stats --enable-flexresp2 --with-oracle=/home/oracle". Installed it (with "make install"). Then in snort.conf added: --CUT-- # flexresp2 section config flexresp2_interface: eth1 config flexresp2_attempts: 5 --CUT-- In local.rules replicated the rule from chat.rules: alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"|2a 01|"; offset:0; depth:2; classtype:policy-violation; sid:1631; rev:4;) And modified it as follows: alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"|2a 01|"; offset:0; depth:2; classtype:policy-violation; resp:reset,icmp_all; sid:1631; rev:5;) Started snort and tried AOL Instant Messenger. So far so good, snort alerted me about my AIM login, but (WHOOPS!) did not send any resets or icmp messages (I watched for them in parallel with tcpdump). Then I tried the same rule with "resp:reset" and "resp:icmp_all" alone with the same result -- flexresp2 did not send any packets. Is that some conflict between (almost) identical rules in chat.rules and local.rules, or is it me doing something wrong? -- NK @ Vilnius nk.tinkle.ltFinagle's fourth Law: Once a job is fouled up, anything done to improve it only makes it worse.------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/e80jEqr8+Gkj0/0RAvkcAKCRnlR53TL1e0oO8hVY5dnRKUY6xwCeNxR6 QbdIeNBCkfFCfvpqKqPvFhI= =G5k7 -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp2 not working in snort 2.0.2 Nerijus Krukauskas (Oct 01)
- Re: flexresp2 not working in snort 2.0.2 Jeff Nathan (Oct 02)