flexresp?

["Sheahan, Paul" <Paul.Sheahan () priceline com>]

Hi all,

 

I just updated to the latest Snort (2.3.0RC2) and compiled it with the
flexresp option. It compiled fine and accepts and understands "resp"
rules, however during testing I have created rules using "resp: rst_all"
and they don't work. I see my test criteria is found in the alert logs
but it does not appear to reset the session. This used to work for me in
the past. 

 

Afterward I noticed my sniffing interface did not have an IP assigned,
so I assigned one and did the test again. That still did not help.

 

I'd like to mess around with sending TCP RSTs when a rule is triggered
or some other way of killing a session when a rule is met. Is Flexresp
the option I should be using or are there better features now? Just
wondering if I should be spending time on flexresp or looking at
something better. 

 

I looked at the new "inline" features but not sure if this is an
alternative?

 

 

Thanks