Snort mailing list archives

Re: Snort & Reset Connection - How to?

From: Joe McAlerney <joey () SiliconDefense com>
Date: Wed, 20 Jun 2001 11:01:24 -0700

Hello John,

First, you must configure snort with flexible response enabled.

# ./configure --enable-flexresp

Next, add flexible response capability to the rules you wish to issue
resets to.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http
directory traversal"; flags: A+; content: "../";
reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:1;
resp:rst_all;)
                                                                                     ^^^^^^^^^^^^^
The above example will send reset packets to both the source and
destination address.  Alternatively, you can send resets to either the
source or the destination.  See the file README.FLEXRESP for more
information.

-Joe M.

-- 
|   Joe McAlerney     joey () silicondefense com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Lucie Hall wrote:


Can someone provide quidance on how to issue a reset to some detections such
as the directory traversal?

Thank you,

John Hall

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort & Reset Connection - How to? Lucie Hall (Jun 20)
- Re: Snort & Reset Connection - How to? Joe McAlerney (Jun 20)