Snort tcp reset

[Daniele Gallarato <daniele.gallarato () gmail com>]

Hello.

I've installed snort version 2.9.2.2 onto an ubuntu server
(2.6.32-41-server #88-Ubuntu SMP).

I've followed this good guide:

http://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CHsQFjAB&url=http%3A%2F%2Fwww.snort.org%2Fassets%2F158%2F014-snortinstallguide292.pdf&ei=zd-jT5vCBPTa4QSl0rifCQ&usg=AFQjCNGaL8nB1vZPRodUBX6IQluwufpbFQ&sig2=FqFj5w3hOXP1NBcn3gbxoQ

All seems to work properly.

Only thing that doesn't work is flexresp3.

In an old installation (2.4.3) with old flexresp, resets work.

In this new installation, I've compiled snort with:

./configure --prefix=/usr/local/snort --enable-sourcefire
--enable-active-response --enable-flexresp3
make
make install

and written some local.rules (they work) and some reset.rules (they hit the
rule, appear in reports, but doesn't reset).

Rule is:

alert tcp <my_ip> any -> $HOME_NET 3389 (resp: rst_all; msg:"Reset Sessioni
Remote Desktop" ; sid:200004;)

I've also checked packets with wireshark, I can't see any reset.

Any help will be appreciated.

Thanks
Daniele Gallarato

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!