Re: Repost: resp:rst_all not working

[Matt Kettler <mkettler () evi-inc com>]

At 11:29 PM 3/5/2004, Venkata Raghavan wrote:
> I understand from your post that snort does send a
> reset but because both the hosts (SMTP server and
> client) are on a LAN the reset does not happen. Am I
> right.

Well, it's unlikely for a reset to work when you're on a LAN.


> But my doubt is why is it not visible in a packet
> capture in ethereal. The reset that was sent to the
> linux client from snort is visible whereas there is no
> such reset to the windows client.

Hmm.. your original post didn't make clear that no reset packet was being 
generated. I just thought you observed the connection surviving the reset 
attempt.

As a test, try removing the flow restrictions... If that fixes things for 
you, put them back, and use kill -USR1 to check snort for dropped packets 
when you try again.

Snort might be missing part of the handshake when watching your windows 
machine connect. The theory here is that the windows box might be turning 
around the syn/syn-ack/ack handshake faster than the linux box.



> Am I missing something fundamental.



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users