Snort mailing list archives
RE: FlexResp Running (I THINK!)
From: "Burleson, Lee (IA)" <Lee.Burleson () ia ngb army mil>
Date: Fri, 31 Aug 2001 09:03:22 -0500
In Snort 1.7 under Win32, no function that sent packets worked. The error for me and others was "packet: send_packet failed" Supposedly the cause was WinPCap; the issue was never fully resolved in my mind. I'm wondering if this problem's roots are the same. - Lee
-----Original Message----- From: Ben Johansen [mailto:benj () intelisoft net] Sent: Thursday, August 30, 2001 18:04 To: Snort-Users Subject: [Snort-users] FlexResp Running (I THINK!) OK on winnt 4.0 running running Snort_flexresp_181 from silicon defense. NOTE: I have tried ; in the vars (like readme.flexresp states) same problem Vars in Config file ----------------- # just stop the offender var RESP_TCP resp:rst_snd # also kill a possible local counterpart var RESP_TCP_URG resp:rst_all under web-iis.rules tried ------------------------- alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; $RESP_TCP;) - Dr. Watson alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; $RESP_TCP_URG;) - Dr. Watson alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; resp:rst_all;) - Dr. Watson But when I used the React instead of the Response alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1; react:block;) No Crash, and also no log entries in snort.log... I am assuming this is a good thing, and snort is blocking the trafic Any comments ;) Ben Johansen - www.pcforge.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)
- Re: FlexResp Running (I THINK!) Ben Johansen (Aug 30)
- Re: FlexResp Running (I THINK!) Skip Carter (Aug 30)
- <Possible follow-ups>
- RE: FlexResp Running (I THINK!) Burleson, Lee (IA) (Aug 31)
- RE: FlexResp Running (I THINK!) Michael Davis (Aug 31)
- RE: FlexResp Running (I THINk!) Ben Johansen (Aug 31)
- Re: FlexResp Running (I THINK!) Joe McAlerney (Aug 30)