Flex Response on Win32

["Beech, Martin" <Martin.Beech () POLK CO UK>]

Hi there,

New to snort. Trying to get it to kill connections under certain conditions
and getting no joy. I'm using:

SNORT Version 1.8.7beta5-ODBC-FlexRESP-WIN32 (Build 128)
LIBNETNT.DLL (binary 1.0.2c) Downloaded from securitybugware.org today
WPCAP 2.3
W2K SP2

I've tried the various libnetnt.dll's around, including the one with the
distribution of Snort I installed. These either GPF'd or "PacketSendPacket
fail"ed on me. The one I'm using from securitybugware does not produce
errors, but it does not kill the connections either. The rule I'm testing
under is 

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval
attempt"; flags:A+; content:"RETR"; nocase; content:"passwd"; resp:
rst_all,icmp_all; reference:arachnids,213;
classtype:suspicious-filename-detect; sid:356;  rev:4;)

Am I doing something dumb - does the LIBNETNT.DLL need installing in some
way, rather than just copying to the snort directory?

Thanks in advance,

Martin


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you are not the intended addressee, you must 
not disclose, copy or take any action in reliance of this transmission.

Although this message and its contents have been scanned for viruses and no 
viruses were detected, no responsibility whatsoever is accepted by the 
Company, or any of its offices or companies for any loss or damage 
arising in any way from receipt or use thereof.

If you have received this email in error please delete this message and
notify the Polk System Administrator at postmaster () polkglobal com.

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users