Snort mailing list archives
Re: Why resp and session option Dont work!?
From: Jeremy Hewlett <jh () sourcefire com>
Date: Thu, 29 Jan 2004 14:34:16 -0500
On Wed, Jan 28, soldier Mx wrote:
alert tcp any any -> $HOME_NET 22 (msg: "Alguien se loguio por ssh checa los logs!"; session:printable;)
What is it you're expecting to catch here? SSH is encrypted, there isn't any viewable session here.
and the other thing is, that if RESP really works ??? i have been testing it, and i cant disconnect or reset the TCP conection of some user that matched the rule..
There's always a race condition here... if your RST is received after other packets in the connection, it will be out of sync, and ignored. You might want to try FlexResp2, it's better at dealing with this. You would always run tcpdump along with Snort to see what's going on. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why resp and session option Dont work!? soldier Mx (Jan 28)
- Re: Why resp and session option Dont work!? Jeremy Hewlett (Jan 31)