Snort mailing list archives
RE: Error on new Rule
From: "Kendall Risselada" <krisselada () farm9 com>
Date: Wed, 16 Mar 2005 06:43:05 -0800
As udp protocol is stateless, I don't know how this would be implemented -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ron Jenkins Sent: Wednesday, March 16, 2005 6:33 AM To: Joel Esler Cc: snort-users Subject: RE: [Snort-users] Error on new Rule Does Snort's FlexResp have an option to work with UDP? Thanks... -----Original Message----- From: Joel Esler [mailto:eslerj () gmail com] Sent: Wednesday, March 16, 2005 8:35 AM To: Ron Jenkins Subject: Re: [Snort-users] Error on new Rule Ron, Flexresp works by sending a RST 'flagged' packet in the middle of a conversation to abruptly terminate a conversation in the middle of it. (if you need more explanation i will be glad to help), since udp does not have packet flags, this is impossible. Joel Esler BASE Project Lead http://secureideas.sourceforge.net On Mar 16, 2005, at 09:12, Ron Jenkins wrote:
On the below new rule, I added the react:block for the FlexResp feature of snort. alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search Query"; content:"|01 02 00 14|"; offset:16; depth:4; reference:url,www.blubster.com; reference:url,openlito.sourceforge.net; react:block; classtype:policy-violation; sid:3459; rev:2;) I get the below error: ERROR: Line /etc/snort/local.rules(28): TCP Options on non-TCP rule Fatal Error, Quitting.. Does FlexResp only work on TCP rules and not UDP? Thanks... Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA) Senior Architect Data Integrity, LLC "We Integrate People with Solutions" 1724 Dallas Drive Suite 11 Baton Rouge, La 70806 Office. 225.927.8030 Fax. 225.927.8033 Cell225.931.1632 Email. rjenkins () dibr net Web. www.dibr.net
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Error on new Rule Ron Jenkins (Mar 16)
- <Possible follow-ups>
- RE: Error on new Rule Ron Jenkins (Mar 16)
- RE: Error on new Rule Kendall Risselada (Mar 16)
- Re: Error on new Rule James Riden (Mar 16)
- RE: Error on new Rule Kendall Risselada (Mar 16)
- RE: Error on new Rule Snort (Mar 16)
- RE: Error on new Rule Joshua Berry (Mar 16)