Snort mailing list archives

RE: Error on new Rule

From: "Joshua Berry" <jberry () PENSON COM>
Date: Wed, 16 Mar 2005 09:33:16 -0600

You are running flexresp so are probably not inline, this would be the
online section to read:
http://www.snort.org/docs/snort_htmanuals/htmanual_232/node23.html#SECTI
ON00473000000000000000
 
This will show you how to use the resp keyword in snort rules.  The only
thing you will be able to do is send ICMP Net/Host/or Port unreachables.
This might appear to the attacker as though the actual attack failed,
however I don't believe it will be successful in protecting from the
actual payload of the packet sent.  ICMP Port unreachable might be the
best option in this case.
 
TCP resets aren't available for UDP connections because they are two
different protocols.  ICMP Unreachables are available because they are
what is sent if the Net/Host/Port is not up, UDP relies upon this to
have some sort of notification system if the connection failed.
 
-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Snort
Sent: Wednesday, March 16, 2005 9:14 AM
To: Snort-users () lists sourceforge net
Subject: RE: [Snort-users] Error on new Rule
 
For UDP you use ICMP and TCP uses resets
 
The readme.flexresp and readme.inline might help clear a few things up,
along with the online manual
 
http://www.snort.org/docs/snort_htmanuals/htmanual_232/node7.html
 
 
Michael Brown
  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ron
Jenkins
Posted At: Wednesday, March 16, 2005 9:12 AM
Posted To: Snort
Conversation: Error on new Rule
Subject: [Snort-users] Error on new Rule
  
On the below new rule, I added the react:block for the FlexResp feature
of snort.  
 
alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search
Query"; content:"|01 02 00 14|"; offset:16; depth:4;
reference:url,www.blubster.com; reference:url,openlito.sourceforge.net;
react:block; classtype:policy-violation; sid:3459; rev:2;)
 
I get the below error:
 
ERROR: Line /etc/snort/local.rules(28): TCP Options on non-TCP rule
Fatal Error, Quitting..
 
Does FlexResp only work on TCP rules and not UDP?
 
Thanks...
 
 
Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA) 
Senior Architect 
Data Integrity, LLC 
"We Integrate People with Solutions" 
1724 Dallas Drive 
Suite 11 
Baton Rouge, La 70806 
Office. 225.927.8030 
Fax. 225.927.8033 
Cell225.931.1632 
Email. rjenkins () dibr net 
Web. www.dibr.net

Current thread:

Error on new Rule Ron Jenkins (Mar 16)
- <Possible follow-ups>
- RE: Error on new Rule Ron Jenkins (Mar 16)
  - RE: Error on new Rule Kendall Risselada (Mar 16)
    - Re: Error on new Rule James Riden (Mar 16)
- RE: Error on new Rule Snort (Mar 16)
- RE: Error on new Rule Joshua Berry (Mar 16)