Snort mailing list archives
Flexresp is not working
From: Dmitry <dvk99 () mail ru>
Date: Fri, 13 Feb 2004 19:12:01 +0300
Config: SuSE 8.0, Snort! 2.1.1-RC1 (Build 18), configured with --enable-flexresp option, libnet - 1.02a. Standart CHAT rules: 1. alert tcp any any -> any any (msg:"CHAT ICQ access"; \ content:"aim_http"; \ nocase; resp: rst_all;) 2. alert tcp any 80 -> any any (msg:"CHAT ICQ forced user addition"; \ flow:established,to_client; \ content:"Content-Type\: application/x-icq"; \ content:"[ICQ User]"; \ reference:bugtraq,3226; \ reference:cve,CAN-2001-1305; \ classtype:misc-activity; \ sid:1832; \ rev:3; \ resp: rst_all;) I use ICQ with anonymous HHTP proxy, 205.188.213.228:80 and get next snort's logs: [**] (http_inspect) BARE BYTE UNICODE ENCODING [**] 02/13-18:32:20.286062 192.168.1.16:2264 -> 205.188.213.228:80 TCP TTL:128 TOS:0x0 ID:7606 IpLen:20 DgmLen:337 DF ***AP*** Seq: 0x4CEBDCFB Ack: 0x37B7DFC2 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] CHAT ICQ access [**] 02/13-18:32:20.889756 205.188.213.228:80 -> 192.168.1.16:2264 TCP TTL:64 TOS:0x0 ID:5879 IpLen:20 DgmLen:376 DF ***AP*** Seq: 0x3776FFC2 Ack: 0x4CEEEB63 Win: 0x1920 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ... and so on many-many messages. But ICQ connection IS ALIVE and don't break at all. What i'm wrong??? Where is FLEXRESP?? WBR, Dmitry Komarov. ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flexresp is not working Dmitry (Feb 13)
- Re: Flexresp is not working Eduardo E. Silva (Feb 13)