Snort mailing list archives
Re: FlexResp Running (I THINK!)
From: Skip Carter <skip () taygeta com>
Date: Thu, 30 Aug 2001 19:06:52 -0700
on winnt 4.0 running running Snort_flexresp_181 from silicon defense. NOTE: I have tried ; in the vars (like readme.flexresp states) same problem Vars in Config file ----------------- # just stop the offender var RESP_TCP resp:rst_snd # also kill a possible local counterpart var RESP_TCP_URG resp:rst_all under web-iis.rules tried ------------------------- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; $RESP_TCP;) - Dr. Watson alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; $RESP_TCP_URG;) - Dr. Watson alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; resp:rst_all;) - Dr. Watson But when I used the React instead of the Response alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; react:block;) No Crash, and also no log entries in snort.log... I am assuming this is a good thing, and snort is blocking the trafic Any comments ;)
I have snort 1.8.1 running with flexresp on Linux and OpenBSD. I get the same behavior that you describe happening for NT, RESP works but REACT does not. When I tested them by setting up a rule that I could trigger myself, the REACT rule just made snort mute but it did not stop my connection, so it does not appear to work. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 UUCP: ...!uunet!taygeta!skip Monterey, CA. 93940 WWW: http://www.taygeta.com/skip.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)
- Re: FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Skip Carter (Aug 30)
- <Possible follow-ups>
- RE: FlexResp Running (I THINK!) Burleson, Lee (IA) (Aug 31)
- RE: FlexResp Running (I THINK!) Michael Davis (Aug 31)
- RE: FlexResp Running (I THINk!) Ben Johansen (Aug 31)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)