Snort mailing list archives

Re: flexible response broken?

From: "Nathan W. Labadie" <ab0781 () wayne edu>
Date: Sun, 4 Nov 2001 12:09:55 -0500

Forgot to mention this in the original email:

This in on a linux box (Mandrake 8.0) with all the necessary libraries
installed. I've tried this with both the rpm and compiled from source with
the same results.

On Sun, Nov 04, 2001 at 11:36:41AM -0500, Nathan W. Labadie wrote:

I've been playing around with snort-1.8.2 and flexible response does not 
seem to be working. I have both versions of snort configured with the 
following options:

./configure --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-flexresp --with-mysql --with-openssl

I have the following rule as my test rule:

pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS cmd.exe access (FlexRsp)"; flags: A+; 
content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;)

This should "silently" kill any incoming requests for cmd.exe. When 
testing the rule with snort-1.8.1 I get the following:

[root@scanner src]# wget http://xxx.xxx.xxx.xxx/cmd.exe
--11:37:19--  http://xxx.xxx.xxx.xxx/cmd.exe
           => `cmd.exe'
Connecting to xxx.xxx.xxx.xxx:80... connected!
HTTP request sent, awaiting response... 
Read error (Connection reset by peer) in headers.
Retrying.

The "Connection reset by peer" indicates that the connection was 
correctly terminated. When testing with snort-1.8.2, I get the following:

[root@scanner src]# wget http://xxx.xxx.xxx.xxx/cmd.exe
--11:41:15--  http://xxx.xxx.xxx.xxx/cmd.exe
           => `cmd.exe'
Connecting to xxx.xxx.xxx.xxx:80... connected!
HTTP request sent, awaiting response... 404 Not Found
11:41:15 ERROR 404: Not Found.

Even though there's a "404: Not Found", the connection was completed 
successfully. Any idea why it seems to be working in snort-1.8.1 and not 
snort-1.8.2?

Thanks,
Nate

-- 
Nathan W. Labadie       | ab0781 () wayne edu 
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.5626 fax
C&IT Security Office: http://security.wayne.edu


-- 
Nathan W. Labadie       | ab0781 () wayne edu   
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.5626 fax
C&IT Security Office: http://security.wayne.edu


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

flexible response broken? Nathan W. Labadie (Nov 04)
- Re: flexible response broken? Nathan W. Labadie (Nov 04)