Snort mailing list archives

Re: resp?

From: Neil Dickey <neil () geol niu edu>
Date: Tue, 15 May 2001 13:36:38 -0500 (CDT)


"Ben Johansen" <benj () intelisoft net> wrote asking:

Hi all Newbie Here.


Welcome aboard.

How do I implement the "resp"

I was trying alter this in the webmisc lib:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cmd.exe
Attempt";flags:PA; resp: rst_all; content:"scripts/../../cmd.exe"; nocase;)


Here's how I used it in a simple rule:

  alert tcp $BAD_GUY any -> $HOME_NET 515 (msg:"LP Spooler attack"; resp: rst_all; )

You might want to be a little careful with the response rules.  Depending on how
the remote machine is configured, it's possible start up a packet storm, stuff your
log filesystems, and otherwise DOS yourself.  ( The Voice Of Experience )

By the way, in order to use the "response" capability on a unix system, it must have
been compiled-in.  If you didn't set the relevant switch when you ran 'configure,'
then it won't work.  I'm not sure how this works on other platforms.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

resp? Ben Johansen (May 15)
- <Possible follow-ups>
- Re: resp? Neil Dickey (May 15)