Snort mailing list archives
flexresp2 is in CVS
From: Jeff Nathan <jeff () snort org>
Date: Sat, 18 Sep 2004 18:00:22 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Pedro,Yes, version 1.0.2 is in CVS. EVERYONE running a CVS version of snort with flex response should switch to flex response 2.
- -Jeff On Sep 18, 2004, at 2:48 PM, Pedro Fortuna wrote:
I believe the code will be imported to the snort CVS tree soon.Jeff,Is it in the the snort CVS tree now? Any new version (i'm running 1.0.2) ?Best Regards, Pedro Fortuna On Thu, 9 Sep 2004 12:03:58 -0400, Jeff Nathan <jeff () snort org> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sep 9, 2004, at 7:02 AM, Pedro Fortuna wrote:Jeff, it seems ok now :) I tried the rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder a FTP com user root!"; flow:to_server,established; content:"USER"; nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi"; classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;) And tried to access FTP server from a remote computer with username root. Right after typing root and hitting enter, I go this output: remoteserver.foo > ftp homenetwork.ftp.server Connected to homenetwork.ftp.server Name (homenetwork.ftp.server:foo): root 421 Service not available, remote server has closed connection Login failed.No control connection for command: Transport endpoint is not connectedftp> by I think this should be the result expected. I'll do more tests later. Best Regards, Pedro FortunaPedro, excellent. I'm glad it worked. Anyone using active response on unix-like systems (ie: flexresp) should consider applying the patch I sent to the snort-users mailing list. I believe the code will be imported to the snort CVS tree soon. - -Jeff - -- http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD) Part-time software mechanic, full-time daredevil! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBQH7yEqr8+Gkj0/0RAn/FAKCjEHe460mtM0icUOl1UGwSxj83tQCfctTa tb9i3z5jK5XRdtflcoGUHp8= =sebz -----END PGP SIGNATURE------------------------------------------------------------ This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- The most technical single-track security conference in the West. Vancouver B.C., Canada April, 2004 http://cansecwest.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBTK/6Eqr8+Gkj0/0RAkFdAJ44Nku2e/vuL+LX+/feI5uW6Rh19ACdH1cf F26KtmF4SLYY2gz+0bHHar4= =KWVA -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: flexresp2 is back and needs testing, (continued)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing James Riden (Sep 08)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 08)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 08)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 09)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 09)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 18)
- flexresp2 is in CVS Jeff Nathan (Sep 18)