flexresp in snort (openbsd 3.0)

["Ronneil Camara" <ronneilc () remingtonltd com>]

Hi everyone,

Just to let you know guys, my resp command works now. It's quite cool. I
just don't know if it misses some traffic.
How do we know, btw, if our snort misses some traffic?

Here is what I did:
I created scripts/root.exe on my apache.
I tried a GET request of /scripts/root.exe to my apache web server and
below is what I got.

Isn't it cool!?! :-)

19:07:36.221195 0:d0:b7:83:61:fe 0:60:8:13:40:39 ip 60:
65.192.117.72.www > 12-248-255-47.client.attbi.com.47289: . ack 26 win
17520 (DF)
19:07:36.340668 0:80:5f:15:b8:dc 0:d0:b7:83:61:fe ip 54:
12-248-255-47.client.attbi.com.47289 > 65.192.117.72.www: R 1:1(0) ack
26 win 0
19:07:36.340742 0:80:5f:15:b8:dc 0:d0:b7:83:61:fe ip 54:
12-248-255-47.client.attbi.com.47289 > 65.192.117.72.www: R 1:1(0) ack
26 win 0

So, my question now is, will snort support tearing down of
connections(i.e. tcp reset) on a stealth interface? Don't tell me that
it supports it. RESP doesn't do anything at all if your interface
doesn't have an ip address. Someone on the mailing list told me that
it's possible but I would just like to correct that it's not working.

Anyways, I usually download some scripts before at "hack co za" to test
my servers but that site won't be up anymore. Do you guys know of any
other sites that does have programs/utilities/scripts that I can
download other than packetstorm or securityfocus?

Now, my next experiment will be spade.

How does spade benefit us other than how we normally configure snort?

Thanks everyone for the help.

Neil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users