Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort+flexresp

From: Jeff Nathan <jeff () snort org>
Date: Mon, 01 Apr 2002 14:55:43 -0800
Onie Camara wrote:


Hi Jeff,

Here is the dump of snort's successful tearing of my ftp session:

http://restricted.dyndns.org/tcpdump1.txt

And I tried it again, same workstation but this time, snort didn't do
anything.

http://restricted.dyndns.org/tcpdump2.txt

But if I am going to stop and start snort again, it will successfully RESET
my connection.

Here is my rule in local.rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP Anonymous";resp:
rst_all; flags: A+; content:"anonymous"; nocase;)

Thanks.

Neil


Thanks for the packet dumps.  Could you instead store them in pcap
format?

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: