Snort mailing list archives
flexresp3: Reset with TTL of 0
From: Jim Hranicky <jfh () ufl edu>
Date: Tue, 26 Oct 2010 14:32:01 -0400
We're currently testing out flexresp3. We have a snort box in IDS mode with the following config: eth0 : management interface eth1 : reset interface eth2 : sniffing interface snort: 2.9.0/daq-0.2 From snort.conf: config response: device eth1 attempts 10 preprocessor stream5_global: max_tcp 8192, memcap 104857600, track_tcp yes, \ track_udp no, max_active_responses 10, \ min_response_seconds 1 Our rule is like so: alert tcp $HOME_NET any -> [XX.XX.XX.0/24] $HTTP_PORTS (msg:"UFOISC reset test"; classtype:trojan-activity; sid:9000092; resp:reset_XXXX; ) I've tried 'reset_both' and 'reset_dest' . Preliminary tests were not seeing the resets reach the test machine that was tripping the rule. Sniffing on the reset interface, I found that the reset attempts were going out, but the TTL is 0 (see attached). I've tried compiling with and without --enable-ipv6 but the result is the same. Has anyone else seen this behavior? I've likely missed a step somewhere. I'll be glad to supply more info if needed. -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida
Attachment:
rst.txt
Description:
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp3: Reset with TTL of 0 Jim Hranicky (Oct 26)
- Re: flexresp3: Reset with TTL of 0 Jim Hranicky (Oct 26)
- Re: flexresp3: Reset with TTL of 0 Russ Combs (Oct 26)
- Re: flexresp3: Reset with TTL of 0 Jim Hranicky (Oct 26)