Re: Why resp and session option Dont work!?

[Jeremy Hewlett <jh () sourcefire com>]

On Wed, Jan 28, soldier Mx wrote:
> alert tcp any any -> $HOME_NET 22 (msg: "Alguien se
> loguio por ssh checa los logs!"; session:printable;)

What is it you're expecting to catch here? SSH is encrypted, there
isn't any viewable session here.

> and the other thing is, that if RESP really works ???
> i have been testing it, and i cant disconnect or reset
> the TCP conection of some user that matched the rule..

There's always a race condition here... if your RST is received after
other packets in the connection, it will be out of sync, and ignored.
You might want to try FlexResp2, it's better at dealing with this. You
would always run tcpdump along with Snort to see what's going on.






-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users