Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: flexresp2 not working in snort 2.0.2

From: Jeff Nathan <jeff () snort org>
Date: Thu, 2 Oct 2003 03:00:47 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the bug report,

I'll take a look.

I'm glad to see at least one person using sp_respond2.

- -Jeff

On Wednesday, October 1, 2003, at 06:04 AM, Nerijus Krukauskas wrote:



Hi,

  I've patched freshly extracted snort-2.0.2.tar.gz with
sp_respond2.diff.gz according to instructions found in
sp_respond2.readme. Then I built snort with "./configure
--enable-linux-smp-stats --enable-flexresp2
--with-oracle=/home/oracle". Installed it (with "make install").

  Then in snort.conf added:
--CUT--
# flexresp2 section
config flexresp2_interface: eth1
config flexresp2_attempts: 5
--CUT--

  In local.rules replicated the rule from chat.rules:
alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login";
flow:to_server,established; content:"|2a 01|"; offset:0; depth:2;
classtype:policy-violation; sid:1631; rev:4;)

  And modified it as follows:
alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login";
flow:to_server,established; content:"|2a 01|"; offset:0; depth:2;
classtype:policy-violation; resp:reset,icmp_all; sid:1631; rev:5;)

  Started snort and tried AOL Instant Messenger. So far so good,
snort alerted me about my AIM login, but (WHOOPS!) did not send any
resets or icmp messages (I watched for them in parallel with tcpdump).
Then I tried the same rule with "resp:reset" and "resp:icmp_all" alone
with the same result -- flexresp2 did not send any packets.

  Is that some conflict between (almost) identical rules in
chat.rules and local.rules, or is it me doing something wrong?

--
NK @ Vilnius
nk.tinkle.lt
Finagle's fourth Law: Once a job is fouled up, anything done to improve it only makes it worse. 




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"Common sense is the collection of prejudices acquired by age
eighteen."   - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/e80jEqr8+Gkj0/0RAvkcAKCRnlR53TL1e0oO8hVY5dnRKUY6xwCeNxR6
QbdIeNBCkfFCfvpqKqPvFhI=
=G5k7
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: