Re: flexresp2 is back and needs testing

[Pedro Fortuna <pedro.fortuna () gmail com>]

Jeff, it seems ok now :)

I tried the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder
a FTP com user root!"; flow:to_server,established; content:"USER";
nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi";
classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;)

And tried to access FTP server from a remote computer with username
root. Right after typing root and hitting enter, I go this output:

remoteserver.foo > ftp homenetwork.ftp.server
Connected to homenetwork.ftp.server
Name (homenetwork.ftp.server:foo): root
421 Service not available, remote server has closed connection
Login failed.
No control connection for command: Transport endpoint is not connected
ftp> by

I think this should be the result expected. I'll do more tests later.

Best Regards,
Pedro Fortuna

On Thu, 9 Sep 2004 01:01:35 -0400, Jeff Nathan <jeff () snort org> wrote:
> Erg..
>
> Sorry about that.  Try the attached patch (version 1.0.2) instead, OK?
>
> -Jeff
>
>
>
>
> On Sep 8, 2004, at 8:58 PM, Pedro Fortuna wrote:
>
> > Jeff, I did, I used the sp_respond2.diff.gz you sent today directly to
> > my (other) mail box (pfeito_at_netcabo.pt) and to other 6 or 7 guys.
> >
> > I'm going to repeat the process as I type this e-mail:
> >
> > Installation (you can see filesize and confirm that it is version
> > 1.0.1):
> > -rw-r--r--  1 root root  16414 Sep  9 02:55 sp_respond2.diff.gz
> >
> > # gzip -d sp_respond2.diff.gz
> >
> > -rw-r--r--  1 root root  66323 Sep  9 02:55 sp_respond2.diff
> >
> > # patch ?p0 < sp_respond2.diff
> > patching file configure.in
> > patching file doc/Makefile.am
> > patching file doc/README.FLEXRESP2
> > patching file src/parser.c
> > patching file src/plugbase.c
> > patching file src/snort.h
> > patching file src/detection-plugins/Makefile.am
> > patching file src/detection-plugins/sp_react.c
> > patching file src/detection-plugins/sp_react.h
> > patching file src/detection-plugins/sp_respond.c
> > patching file src/detection-plugins/sp_respond.h
> > patching file src/detection-plugins/sp_respond2.c
> > patching file src/detection-plugins/sp_respond2.h
> >
> > # aclocal
> > # autoheader
> > # automake
> > # autoconf
> >
> > # ./configure --with-mysql=/usr/local/mysql --enable-flexresp2
> > # make
> > # make install
> > # /etc/init.d/snort start
> > # grep "sp_respond" /var/log/messages
> > Sep  9 03:08:29 paco snort: FATAL ERROR: sp_respond2: Unable to
> > allocate hash table memory.
> >
> > And Snort stops running.
> > I didnt saw this problem on the previous version that you sent me 2 or
> > 3 weeks ago.
> >
> > Any clues?
> >
> > Best Regards,
> > Pedro Fortuna
>
> --
> The original EZ-bake packet oven.
> http://nemesis.sourceforge.net


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users