[Snort-users] flexresp2 not working in snort 2.0.2

Hi,

I've patched freshly extracted snort-2.0.2.tar.gz with
sp_respond2.diff.gz according to instructions found in
sp_respond2.readme. Then I built snort with "./configure
--enable-linux-smp-stats --enable-flexresp2
--with-oracle=/home/oracle". Installed it (with "make install").

Then in snort.conf added:
--CUT--
# flexresp2 section
config flexresp2_interface: eth1
config flexresp2_attempts: 5
--CUT--

In local.rules replicated the rule from chat.rules:
alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login";
flow:to_server,established; content:"|2a 01|"; offset:0; depth:2;
classtype:policy-violation; sid:1631; rev:4;)

And modified it as follows:
alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login";
flow:to_server,established; content:"|2a 01|"; offset:0; depth:2;
classtype:policy-violation; resp:reset,icmp_all; sid:1631; rev:5;)

Started snort and tried AOL Instant Messenger. So far so good,
snort alerted me about my AIM login, but (WHOOPS!) did not send any
resets or icmp messages (I watched for them in parallel with tcpdump).
Then I tried the same rule with "resp:reset" and "resp:icmp_all" alone
with the same result -- flexresp2 did not send any packets.

Is that some conflict between (almost) identical rules in
chat.rules and local.rules, or is it me doing something wrong?

--
NK @ Vilnius
nk.tinkle.lt

Finagle's fourth Law: Once a job is fouled up, anything done to
improve it only makes it worse.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users