Re: Flexresp is not working

["Eduardo E. Silva" <esilva () silvex com>]

ttp://www.snort.org/docs/snort_manual/node16.html#SECTION00374100000000000000

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map
attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; 
classtype:network-scan; sid:1638; rev:4; react: block, msg; )

Only block and warn work. I just installed it myself and will see if it
works.

Dmitry said:
> Config:
> SuSE 8.0,
> Snort! 2.1.1-RC1 (Build 18), configured with --enable-flexresp option,
> libnet - 1.02a.
>
>
> Standart CHAT rules:
> 1.
> alert tcp any any -> any any (msg:"CHAT ICQ access"; \
> content:"aim_http"; \
> nocase; resp: rst_all;)
>
>
> 2.
> alert tcp any 80 -> any any (msg:"CHAT ICQ forced user addition"; \
> flow:established,to_client; \
> content:"Content-Type\: application/x-icq"; \
> content:"[ICQ User]"; \
> reference:bugtraq,3226; \
> reference:cve,CAN-2001-1305; \
> classtype:misc-activity; \
> sid:1832; \
> rev:3; \
> resp: rst_all;)
>
>
>
> I use ICQ with anonymous HHTP proxy, 205.188.213.228:80
> and get next snort's logs:
>
> [**] (http_inspect) BARE BYTE UNICODE ENCODING [**]
> 02/13-18:32:20.286062 192.168.1.16:2264 -> 205.188.213.228:80
> TCP TTL:128 TOS:0x0 ID:7606 IpLen:20 DgmLen:337 DF
> ***AP*** Seq: 0x4CEBDCFB  Ack: 0x37B7DFC2  Win: 0xFAF0  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> [**] CHAT ICQ access [**]
> 02/13-18:32:20.889756 205.188.213.228:80 -> 192.168.1.16:2264
> TCP TTL:64 TOS:0x0 ID:5879 IpLen:20 DgmLen:376 DF
> ***AP*** Seq: 0x3776FFC2  Ack: 0x4CEEEB63  Win: 0x1920  TcpLen: 20
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> ... and so on many-many messages.
>
> But ICQ connection IS ALIVE and don't break at all.
> What i'm wrong??? Where is FLEXRESP??
>
>
> WBR, Dmitry Komarov.
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Thanks,

Ed Silva
Silvex Consulting Inc.
esilva () silvex com
(714) 504-6870 Cell
(714) 897-3800 Fax



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users