Snort mailing list archives

Previous By Date Next
Previous By Thread Next

flexresp2 is in CVS

From: Jeff Nathan <jeff () snort org>
Date: Sat, 18 Sep 2004 18:00:22 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pedro,
Yes, version 1.0.2 is in CVS. EVERYONE running a CVS version of snort with flex response should switch to flex response 2. 

- -Jeff

On Sep 18, 2004, at 2:48 PM, Pedro Fortuna wrote:


I believe the code will be imported to the snort CVS tree soon.


Jeff,
Is it in the the snort CVS tree now? Any new version (i'm running 1.0.2) ? 

Best Regards,
Pedro Fortuna

On Thu, 9 Sep 2004 12:03:58 -0400, Jeff Nathan <jeff () snort org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sep 9, 2004, at 7:02 AM, Pedro Fortuna wrote:


Jeff, it seems ok now :)

I tried the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder
a FTP com user root!"; flow:to_server,established; content:"USER";
nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi";
classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;)

And tried to access FTP server from a remote computer with username
root. Right after typing root and hitting enter, I go this output:

remoteserver.foo > ftp homenetwork.ftp.server
Connected to homenetwork.ftp.server
Name (homenetwork.ftp.server:foo): root
421 Service not available, remote server has closed connection
Login failed.
No control connection for command: Transport endpoint is not connected 
ftp> by

I think this should be the result expected. I'll do more tests later.

Best Regards,
Pedro Fortuna


Pedro,

excellent.  I'm glad it worked.  Anyone using active response on
unix-like systems (ie: flexresp) should consider applying the patch I
sent to the snort-users mailing list.

I believe the code will be imported to the snort CVS tree soon.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
Part-time software mechanic, full-time daredevil!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBQH7yEqr8+Gkj0/0RAn/FAKCjEHe460mtM0icUOl1UGwSxj83tQCfctTa
tb9i3z5jK5XRdtflcoGUHp8=
=sebz
-----END PGP SIGNATURE-----





-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



- --
The most technical single-track security conference in the West.
Vancouver B.C., Canada   April, 2004   http://cansecwest.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBTK/6Eqr8+Gkj0/0RAkFdAJ44Nku2e/vuL+LX+/feI5uW6Rh19ACdH1cf
F26KtmF4SLYY2gz+0bHHar4=
=KWVA
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: