Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FlexResp Running (I THINK!)

From: Skip Carter <skip () taygeta com>
Date: Thu, 30 Aug 2001 19:06:52 -0700


on winnt 4.0 running running Snort_flexresp_181 from silicon defense.

NOTE: I have tried ; in the vars (like readme.flexresp states) same problem

Vars in Config file
-----------------
# just stop the offender
var RESP_TCP resp:rst_snd

# also kill a possible local counterpart
var RESP_TCP_URG resp:rst_all

under web-iis.rules tried
-------------------------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
sid:1002; rev:1; $RESP_TCP;)
- Dr. Watson

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
sid:1002; rev:1; $RESP_TCP_URG;)
- Dr. Watson

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
sid:1002; rev:1; resp:rst_all;)
- Dr. Watson

But when I used the React instead of the Response

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
sid:1002; rev:1; react:block;)

No Crash, and also no log entries in snort.log...
I am assuming this is a good thing, and snort is blocking the trafic

Any comments ;)





  I have snort 1.8.1 running with flexresp on Linux and OpenBSD.

  I get the same behavior that you describe happening for NT,
  RESP works but REACT does not.  When I tested them by setting up
  a rule that I could trigger myself, the REACT rule just made
  snort mute but it did not stop my connection, so it does not
  appear to work.










-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    UUCP:     ...!uunet!taygeta!skip
 Monterey, CA. 93940            WWW: http://www.taygeta.com/skip.html












_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: