flexible response broken?

["Nathan W. Labadie" <ab0781 () wayne edu>]

I've been playing around with snort-1.8.2 and flexible response does not 
seem to be working. I have both versions of snort configured with the 
following options:

./configure --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-flexresp --with-mysql --with-openssl

I have the following rule as my test rule:

pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS cmd.exe access (FlexRsp)"; flags: A+; 
content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;)

This should "silently" kill any incoming requests for cmd.exe. When 
testing the rule with snort-1.8.1 I get the following:

[root@scanner src]# wget http://xxx.xxx.xxx.xxx/cmd.exe
--11:37:19--  http://xxx.xxx.xxx.xxx/cmd.exe
           => `cmd.exe'
Connecting to xxx.xxx.xxx.xxx:80... connected!
HTTP request sent, awaiting response... 
Read error (Connection reset by peer) in headers.
Retrying.

The "Connection reset by peer" indicates that the connection was 
correctly terminated. When testing with snort-1.8.2, I get the following:

[root@scanner src]# wget http://xxx.xxx.xxx.xxx/cmd.exe
--11:41:15--  http://xxx.xxx.xxx.xxx/cmd.exe
           => `cmd.exe'
Connecting to xxx.xxx.xxx.xxx:80... connected!
HTTP request sent, awaiting response... 404 Not Found
11:41:15 ERROR 404: Not Found.

Even though there's a "404: Not Found", the connection was completed 
successfully. Any idea why it seems to be working in snort-1.8.1 and not 
snort-1.8.2?

Thanks,
Nate

-- 
Nathan W. Labadie       | ab0781 () wayne edu   
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.5626 fax
C&IT Security Office: http://security.wayne.edu


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users