Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flexresp problem

From: "Tudor Panaitescu" <tpanaitescu () colorcon com>
Date: Sat, 20 Apr 2002 12:24:56 -0400


I have noticed something else. If the source address is in $HOME_NET then I get
the alert and the resets (icmp_all) are sent else I get only the alert and no
resets are sent. I thought it was supposed to be the other way around.... I
enabled debugging but no info @ all about this issue showed up in the logs.

Any thoughts folks ?

Thanks,
Tudor








Alwin Raymundo <alrayworld () yahoo com> on 04/20/2002 10:15:57 AM
                                                              
                                                              
                                                              
  To:          Tudor Panaitescu/ColorconUS@ColorconUS, Erek   
               Adams <erek () theadamsfamily net>                
                                                              
  cc:          snort-users () lists sourceforge net              
                                                              
                                                              
                                                              
  Subject      Re: [Snort-users] Flexresp problem             
  :                                                           
                                                              






Hi everybody,

I'm experience the same thing last week ago when I
compiled my snort with mysql and flexresp.

Some of our office mates using frontpage for web
editing but our server is RH6.0

The edit some of our website at their respective home
and there is no problem but when I compiled last week
the snort(1.8.6) with mysql and flexresp all their
connection has been reset the message in the log is
"reset by peer".

The sad thing is that I did not apply the resp rule in
my *.rules

Is this a bug or something?

Can anyone explain it to us for educational purpose
only.

Thanks in Advance.




--- Tudor Panaitescu <tpanaitescu () colorcon com> wrote:




OK. Used my workstation, "pure" RH7.2, all the
updates from RH installed,
libnet-1.0.2a-1snort, libpcap-0.6.2-9, snort
compiled locally, no aliases on any
interface, apache-fp-1.3.22-6, same set of rules as
on the production boxes, no
resp in any of the rules ... and .... the same
problem. Connections matching the
rules are reset (icmp_all in the alerts log) even if
there's no resp in the rule
.... Does it make any sense ? Is anybody else having
the same problem ?

Thank you and all the best,
Tudor









Erek Adams <erek () theadamsfamily net> on 04/15/2002
07:29:30 PM






  To:          Tudor
Panaitescu/ColorconUS@ColorconUS


  cc:          snort-users () lists sourceforge net







  Subject      Re: [Snort-users] Flexresp problem

  :









On Mon, 15 Apr 2002, Tudor Panaitescu wrote:


Nope, no changes. This is what makes it goofier

.... Another thing: I have

another sensor running in front of the firewall

(no IP), RH7.1 upgraded to

R.H7.2, same config, same packages, same ruleset

... that one works fine.

Could it be because of the aliases I have on eth0

?

Could be.  I'd try removing them and see what
happens.


Any other thoughts ?


It _really_ sounds like something special in just
your config.  I don't think
there's anything that would cause this to happen in
RH, but...  You never
know. :-)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
Alwin Raymundo

__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: