Snort mailing list archives
Re: flexible response broken?
From: "Nathan W. Labadie" <ab0781 () wayne edu>
Date: Sun, 4 Nov 2001 12:09:55 -0500
Forgot to mention this in the original email: This in on a linux box (Mandrake 8.0) with all the necessary libraries installed. I've tried this with both the rpm and compiled from source with the same results. On Sun, Nov 04, 2001 at 11:36:41AM -0500, Nathan W. Labadie wrote:
I've been playing around with snort-1.8.2 and flexible response does not seem to be working. I have both versions of snort configured with the following options: ./configure --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-flexresp --with-mysql --with-openssl I have the following rule as my test rule: pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS cmd.exe access (FlexRsp)"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;) This should "silently" kill any incoming requests for cmd.exe. When testing the rule with snort-1.8.1 I get the following: [root@scanner src]# wget http://xxx.xxx.xxx.xxx/cmd.exe --11:37:19-- http://xxx.xxx.xxx.xxx/cmd.exe => `cmd.exe' Connecting to xxx.xxx.xxx.xxx:80... connected! HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers. Retrying. The "Connection reset by peer" indicates that the connection was correctly terminated. When testing with snort-1.8.2, I get the following: [root@scanner src]# wget http://xxx.xxx.xxx.xxx/cmd.exe --11:41:15-- http://xxx.xxx.xxx.xxx/cmd.exe => `cmd.exe' Connecting to xxx.xxx.xxx.xxx:80... connected! HTTP request sent, awaiting response... 404 Not Found 11:41:15 ERROR 404: Not Found. Even though there's a "404: Not Found", the connection was completed successfully. Any idea why it seems to be working in snort-1.8.1 and not snort-1.8.2? Thanks, Nate -- Nathan W. Labadie | ab0781 () wayne edu Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.5626 fax C&IT Security Office: http://security.wayne.edu
-- Nathan W. Labadie | ab0781 () wayne edu Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.5626 fax C&IT Security Office: http://security.wayne.edu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexible response broken? Nathan W. Labadie (Nov 04)
- Re: flexible response broken? Nathan W. Labadie (Nov 04)