Snort mailing list archives

Re: Confirming flexresponse

From: Joel Esler <joel.esler () sourcefire com>
Date: Tue, 1 May 2007 12:21:21 -0400

A thought that springs to mind is to watch the traffic on an interface that can see the RST packets and test it.  You 
should see the RST packet if you just watch the traffic itself.

j


On Tue, May 01, 2007 at 10:09:47AM -0400, it looks like Cesar Diaz sent me:

   I compiled snort with flexresponse enabled and added "resp:rst_all" to a
   few P2P rules.  I still see alerts on those rules in BASE, but I assume
   that after it is detected, the RST packet is sent and the connection
   dropped.

   Is there a way to confirm that the response is taking place, and then if
   it worked or not?

   Thanks in advance for your help,

   Cesar



   Cesar Diaz
   Network Security Engineer
   Knowledge Management
   Chemonics International
   P 202.955.3300
   [1]www.chemonics.com


References

   Visible links
   1. http://www.chemonics.com/
      http://www.chemonics.com/

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





+---------------------------------------------------------------------+
Joel Esler                                          Security Consultant
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Confirming flexresponse Cesar Diaz (May 01)
- Re: Confirming flexresponse Joel Esler (May 01)
- Re: Confirming flexresponse Matt Kettler (May 01)