Snort mailing list archives
Re: resp?
From: Neil Dickey <neil () geol niu edu>
Date: Tue, 15 May 2001 13:36:38 -0500 (CDT)
"Ben Johansen" <benj () intelisoft net> wrote asking:
Hi all Newbie Here.
Welcome aboard.
How do I implement the "resp" I was trying alter this in the webmisc lib: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cmd.exe Attempt";flags:PA; resp: rst_all; content:"scripts/../../cmd.exe"; nocase;)
Here's how I used it in a simple rule: alert tcp $BAD_GUY any -> $HOME_NET 515 (msg:"LP Spooler attack"; resp: rst_all; ) You might want to be a little careful with the response rules. Depending on how the remote machine is configured, it's possible start up a packet storm, stuff your log filesystems, and otherwise DOS yourself. ( The Voice Of Experience ) By the way, in order to use the "response" capability on a unix system, it must have been compiled-in. If you didn't set the relevant switch when you ran 'configure,' then it won't work. I'm not sure how this works on other platforms. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- resp? Ben Johansen (May 15)
- <Possible follow-ups>
- Re: resp? Neil Dickey (May 15)