Snort mailing list archives
Re: FlexResp Running (I THINK!)
From: Joe McAlerney <joey () SiliconDefense com>
Date: Thu, 30 Aug 2001 17:04:12 -0700
Mike Steele and I are going to spend some time tomorrow looking into this, and other issues with the various Win32 builds. We'll be sure to report anything that comes out of our research, and hopefully get back with some solutions. Kind Regards, -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ Ben Johansen wrote:
OK on winnt 4.0 running running Snort_flexresp_181 from silicon defense. NOTE: I have tried ; in the vars (like readme.flexresp states) same problem Vars in Config file ----------------- # just stop the offender var RESP_TCP resp:rst_snd # also kill a possible local counterpart var RESP_TCP_URG resp:rst_all under web-iis.rules tried ------------------------- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; $RESP_TCP;) - Dr. Watson alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; $RESP_TCP_URG;) - Dr. Watson alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; resp:rst_all;) - Dr. Watson But when I used the React instead of the Response alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; react:block;) No Crash, and also no log entries in snort.log... I am assuming this is a good thing, and snort is blocking the trafic Any comments ;) Ben Johansen - www.pcforge.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)
- Re: FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Skip Carter (Aug 30)
- <Possible follow-ups>
- RE: FlexResp Running (I THINK!) Burleson, Lee (IA) (Aug 31)
- RE: FlexResp Running (I THINK!) Michael Davis (Aug 31)
- RE: FlexResp Running (I THINk!) Ben Johansen (Aug 31)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)