Snort mailing list archives

flexresp

From: Ramin Alidousti <ramin () cannon eng us uu net>
Date: Mon, 10 Sep 2001 14:55:52 -0400

Hi IDS guru's,

I'm still having problem with flexresp. It simply seems not
to be working.

I've one simple rule:

alert tcp $EXTERNAL_NET any -> $TEST_HOST 22 (msg:"KILL SESSION";flags: S; resp:rst_all;)


I run snort in foreground. And when I try to ssh to TEST_HOST
I get the following and my ssh session is not being reset:

*) Critical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: 
libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: 
libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: 
libnet_write_ip

I also tried other response packets, eg, icmp_port, this one generates:

*) Critical: SendICMP_UNREACH: libnet_write_ip

Does this "Critical" mean something? Is there something wromg
I do/forgot? I just downloaded:

- cvs snort
- Libnet-1.0.2a

to no avail.

Thanks for the help.

Ramin


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

flexresp Ramin Alidousti (Aug 28)
- RE: flexresp Neal Timm (Aug 28)
- <Possible follow-ups>
- flexresp Ramin Alidousti (Sep 10)