Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Error on new Rule

From: "Ron Jenkins" <rjenkins () dibr net>
Date: Wed, 16 Mar 2005 08:33:00 -0600
Does Snort's FlexResp have an option to work with UDP?

Thanks...

-----Original Message-----
From: Joel Esler [mailto:eslerj () gmail com] 
Sent: Wednesday, March 16, 2005 8:35 AM
To: Ron Jenkins
Subject: Re: [Snort-users] Error on new Rule

Ron,

Flexresp works by sending a RST 'flagged' packet in the middle of a 
conversation to abruptly terminate a conversation in the middle of it.  
(if you need more explanation i will be glad to help), since udp does 
not have packet flags, this is impossible.


Joel Esler
BASE Project Lead
http://secureideas.sourceforge.net


On Mar 16, 2005, at 09:12, Ron Jenkins wrote:


On the below new rule, I added the react:block for the FlexResp 
feature of snort. 

  

alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito 
Search Query"; content:"|01 02 00 14|"; offset:16; depth:4; 
reference:url,www.blubster.com; 
reference:url,openlito.sourceforge.net; react:block; 
classtype:policy-violation; sid:3459; rev:2;)

 

I get the below error:

 

ERROR: Line /etc/snort/local.rules(28): TCP Options on non-TCP rule

Fatal Error, Quitting..

 

Does FlexResp only work on TCP rules and not UDP?

 

Thanks...

 

 

Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA)
 Senior Architect
Data Integrity, LLC
 "We Integrate People with Solutions"
1724 Dallas Drive
 Suite 11
Baton Rouge, La 70806
 Office. 225.927.8030
 Fax. 225.927.8033
 Cell225.931.1632
 Email. rjenkins () dibr net
 Web. www.dibr.net

  




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: