Snort mailing list archives

Previous By Date Next
Previous By Thread Next

not work flexresponse

From: bear <go_kuma3_go () yahoo co jp>
Date: Thu, 19 May 2011 15:23:44 +0900 (JST)
Hi! I'm use snort-2.9.0.5.

This Snort compile and install.
However, the reset transmission that is the function of Felxresponse doesn't work. 

please tell me any idea.

Reading is a light. The reply is waited for. 

confgiure:
./configure --prefix=/opt/snort \
            --enable-dynamicplugin \
            --enable-reload \
            --enable-reload-error-restart \
            --enable-zlib \
            --enable-perfprofiling \
            --enable-normalizer \
            --enable-static-daq \
            --enable-ipv6 \
            --enable-gre \
            --enable-mpls \
            --enable-targetbased \
            --enable-build-dynamic-examples \
            --enable-decoder-preprocessor-rules \
            --enable-ppm \
            --enable-react \
            --enable-active-response \
            --enable-flexresp3 \
            --with-libpcap-includes=/opt/libpcap/include \
            --with-libpcap-libraries=/opt/libpcap/lib \
            --with-mysql \
            --with-mysql-includes=/opt/mysql/include \
            --with-mysql-libraries=/opt/mysql/lib \
            --with-daq-includes=/opt/daq/include \
            --with-daq-libraries=/opt/daq/lib

Snort start command:
./snort -DMHIdepsxy --daq pcap --daq-mode passive --daq-dir /opt/daq/lib -t /opt/snort -u snort -g snort -c /opt/snor 
/etc/snort.conf -l /opt/snort/logs

Test Rule Into local.rules:
# $Id: local.rules,v 1.13 2005/02/10 01:11:04 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ATTACK-RESPONSES Relay Block!"; flow:established; content:!"rcpt to: 
root () mydomain com"; distance:0; resp: rst_all; classtype:bad-unknown; sid:10000; rev:1;)

Test Telnet console output: 
220 mail.mydomain.com ESMTP Postfix
HELO yahoo
250 mail.mydomain.com
mail from: root () nothing-domain com
250 2.1.0 Ok
rcpt to: root () nothing-domain net
554 5.7.1 <root () aaa jp>: Relay access denied

DAQ support module list:
./snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v4): live inline multi
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: