Snort mailing list archives
Re: Flexresp
From: Phil Wood <cpw () lanl gov>
Date: Mon, 8 Apr 2002 14:05:45 -0600
FTP was just a stab in the dark. You could use just about any tcp service. How about discard or chargen. Just remember you have to write your own rule on this. And the service you pick has to be up and accessible from the test client. Snort doesn't do it for you. Try and run "netstat -an" and see what services you have available for the test. I happen to have discard running on my machine. % netstat -a | grep discard tcp 0 0 *:discard *:* LISTEN udp 0 0 *:discard *:* Looks like if I set up a long discard from somewhere else: nc someserver discard < /dev/zero and someserver is running the discard service, I got myself a winner. I'd try a rule like: alert tcp any any -> someserver 9 (msg: "Killing discardd"; resp: rst_snd;) But, I might be wrong. On Mon, Apr 08, 2002 at 11:49:57AM -0700, Alwin Raymundo wrote:
Hi Phil, Thanks for responding so quick. I appreciate it. Is there anyway or services that I can test aside from FTP because I don't allow ftp services in all my linux box because you know "security". Thanks --- Phil Wood <cpw () lanl gov> wrote:Well, You could enable an ftp server on your snort box. Set up your flexresp rules to include the address of your snort box. Start your snort running. Call your friends and ask them to pull down files from your snort box. Ask your friends to let you know how it went. Later, On Mon, Apr 08, 2002 at 10:50:24AM -0700, Alwin Raymundo wrote:Hi Guys, I need your HELP!, I just recently recompiled mysnortwith-mysql and flexresp. Now my question is how do I know that flexresp is working, where do I look? that indicates theflexrespis working. I use the resp:rst_all; in some of snort rules. Your quick response is highly appreciated. Thanks in Advance. ===== Alwin Raymundo __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== Alwin Raymundo __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flexresp Alwin Raymundo (Apr 08)
- Re: Flexresp Phil Wood (Apr 08)
- Re: Flexresp Alwin Raymundo (Apr 08)
- Re: Flexresp Phil Wood (Apr 08)
- Re: Flexresp Alwin Raymundo (Apr 08)
- <Possible follow-ups>
- RE: Flexresp Ronneil Camara (Apr 08)
- RE: Flexresp Alwin Raymundo (Apr 08)
- RE: Flexresp Ronneil Camara (Apr 08)
- Re: Flexresp counter . spy (Apr 08)
- RE: Flexresp Sheahan, Paul (PCLN-NW) (Apr 08)
- RE: Flexresp Alwin Raymundo (Apr 09)
- RE: Flexresp Ronneil Camara (Apr 08)
- Re: Flexresp Alwin Raymundo (Apr 09)
- Re: Flexresp Phil Wood (Apr 08)