Snort mailing list archives
Re: flexresp2 is back and needs testing
From: Jeff Nathan <jeff () snort org>
Date: Thu, 9 Sep 2004 12:03:58 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sep 9, 2004, at 7:02 AM, Pedro Fortuna wrote:
Jeff, it seems ok now :) I tried the rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder a FTP com user root!"; flow:to_server,established; content:"USER"; nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi"; classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;) And tried to access FTP server from a remote computer with username root. Right after typing root and hitting enter, I go this output: remoteserver.foo > ftp homenetwork.ftp.server Connected to homenetwork.ftp.server Name (homenetwork.ftp.server:foo): root 421 Service not available, remote server has closed connection Login failed. No control connection for command: Transport endpoint is not connected ftp> by I think this should be the result expected. I'll do more tests later. Best Regards, Pedro Fortuna
Pedro,excellent. I'm glad it worked. Anyone using active response on unix-like systems (ie: flexresp) should consider applying the patch I sent to the snort-users mailing list.
I believe the code will be imported to the snort CVS tree soon. - -Jeff - -- http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD) Part-time software mechanic, full-time daredevil! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBQH7yEqr8+Gkj0/0RAn/FAKCjEHe460mtM0icUOl1UGwSxj83tQCfctTa tb9i3z5jK5XRdtflcoGUHp8= =sebz -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement onwho ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: flexresp2 is back and needs testing, (continued)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Aug 31)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 05)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing James Riden (Sep 08)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 08)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 08)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 09)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 09)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 18)
- flexresp2 is in CVS Jeff Nathan (Sep 18)