Snort mailing list archives
Re: Snort & Reset Connection - How to?
From: Joe McAlerney <joey () SiliconDefense com>
Date: Wed, 20 Jun 2001 11:01:24 -0700
Hello John, First, you must configure snort with flexible response enabled. # ./configure --enable-flexresp Next, add flexible response capability to the rules you wish to issue resets to. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http directory traversal"; flags: A+; content: "../"; reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:1; resp:rst_all;) ^^^^^^^^^^^^^ The above example will send reset packets to both the source and destination address. Alternatively, you can send resets to either the source or the destination. See the file README.FLEXRESP for more information. -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ Lucie Hall wrote:
Can someone provide quidance on how to issue a reset to some detections such as the directory traversal? Thank you, John Hall _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort & Reset Connection - How to? Lucie Hall (Jun 20)
- Re: Snort & Reset Connection - How to? Joe McAlerney (Jun 20)