Snort mailing list archives
flexresp?
From: "Sheahan, Paul" <Paul.Sheahan () priceline com>
Date: Thu, 16 Dec 2004 18:29:11 -0500
Hi all, I just updated to the latest Snort (2.3.0RC2) and compiled it with the flexresp option. It compiled fine and accepts and understands "resp" rules, however during testing I have created rules using "resp: rst_all" and they don't work. I see my test criteria is found in the alert logs but it does not appear to reset the session. This used to work for me in the past. Afterward I noticed my sniffing interface did not have an IP assigned, so I assigned one and did the test again. That still did not help. I'd like to mess around with sending TCP RSTs when a rule is triggered or some other way of killing a session when a rule is met. Is Flexresp the option I should be using or are there better features now? Just wondering if I should be spending time on flexresp or looking at something better. I looked at the new "inline" features but not sure if this is an alternative? Thanks
Current thread:
- flexresp? Sheahan, Paul (Dec 16)
- Re: flexresp? Jeff Nathan (Dec 19)