Re: [Snort-users] flexresp2 not working in snort 2.0.2
This is a discussion on Re: [Snort-users] flexresp2 not working in snort 2.0.2 within the Snort forums, part of the System Security and Security Related category; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the bug report, I'll take a look. I'm glad to ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-02-2003
|
|||
|
|||
Re: [Snort-users] flexresp2 not working in snort 2.0.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Thanks for the bug report, I'll take a look. I'm glad to see at least one person using sp_respond2. - -Jeff On Wednesday, October 1, 2003, at 06:04 AM, Nerijus Krukauskas wrote: > > Hi, > > I've patched freshly extracted snort-2.0.2.tar.gz with > sp_respond2.diff.gz according to instructions found in > sp_respond2.readme. Then I built snort with "./configure > --enable-linux-smp-stats --enable-flexresp2 > --with-oracle=/home/oracle". Installed it (with "make install"). > > Then in snort.conf added: > --CUT-- > # flexresp2 section > config flexresp2_interface: eth1 > config flexresp2_attempts: 5 > --CUT-- > > In local.rules replicated the rule from chat.rules: > alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; > flow:to_server,established; content:"|2a 01|"; offset:0; depth:2; > classtype:policy-violation; sid:1631; rev:4;) > > And modified it as follows: > alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; > flow:to_server,established; content:"|2a 01|"; offset:0; depth:2; > classtype:policy-violation; resp:reset,icmp_all; sid:1631; rev:5;) > > Started snort and tried AOL Instant Messenger. So far so good, > snort alerted me about my AIM login, but (WHOOPS!) did not send any > resets or icmp messages (I watched for them in parallel with tcpdump). > Then I tried the same rule with "resp:reset" and "resp:icmp_all" alone > with the same result -- flexresp2 did not send any packets. > > Is that some conflict between (almost) identical rules in > chat.rules and local.rules, or is it me doing something wrong? > > -- > NK @ Vilnius > nk.tinkle.lt > > Finagle's fourth Law: Once a job is fouled up, anything done to > improve it only makes it worse. > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > - -- http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/e80jEqr8+Gkj0/0RAvkcAKCRnlR53TL1e0oO8hVY5dnRKUY6xwCeNxR6 QbdIeNBCkfFCfvpqKqPvFhI= =G5k7 -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
