Re: [Snort-users] flexresp2 is back and needs testing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pfeito,

I'd like for you to try two things. First, try using only reset_dest
in your rule. Second, can you send me the pcap dump so I can take a
look at it?

The pcap dump I'm interested in will come from the FTP server. I want
to see all the packets from connection establishment to sp_respond2
firing the response packets.

- -Jeff

On Aug 30, 2004, at 7:05 AM, pfeito wrote:

> Hi,
>
> I'm currently testing flexresp2. For now I'm just using a simple rule
> that
> terminates a FTP connection if someone tries to login with user "root".
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP root login
> attempt!";
> flow:to_server,established; content:"USER"; nocase; content:"root";
> distance:1; nocase; pcre:"/^USER\sroot/smi";
> classtype:suspicious-login;
> sid:1000002; rev:2; resp: reset_both;)
>
> I try to login remotely with user root, but the connection does not
> terminate. I sniffed with tcpdump and I know that it the TCP RST
> packets are
> being sent, but the connection stays up.
>
> Then I tried the same but with both peers on the same LAN, but with
> the same
> results. The TCP RST packets are being sent also.
>
> I've tcpdump logs if someone is interested in looking into them.
>
> My snort.conf-flexresp2 config
> config flexresp2_interface: eth2
> config flexresp2_attempts: 10
>
> What could be going wrong?
>
> Thanks in advance,
> -pfeito
>
>
>
>> -----Original Message-----
>> From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-
>> admin@lists.sourceforge.net] On Behalf Of Jeff Nathan
>> Sent: segunda-feira, 26 de Julho de 2004 1:33
>> To: snort-users@lists.sourceforge.net
>> Subject: [Snort-users] flexresp2 is back and needs testing
>>
>> Hi Snortees,
>>
>> I've got a new version of the flexible response code, sp_respond2,
>> ready for testing. This new version uses libdnet
>> (http://libdnet.sourceforge.net) and is significantly faster than all
>> previous versions. During testing I was able to reset TCP connections
>> where both the client and server were on the same LAN.
>>
>> The patch is attached to this message but if you'd like to download
>> it,
>> it's also available from
>>
>> http://cerberus.sourcefire.com/~jeff...t/sp_respond2/
>>
>> If you encounter any problems with the attached patch, refer to the
>> website for an update before sending email.
>>
>> It's most helpful if you're somewhat experienced with Snort. For the
>> time being I'd like to avoid tutoring users during testing.
>
>
>
>

- --
http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD)
"Great spirits have always encountered violent opposition from
mediocre minds." - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBMz1YEqr8+Gkj0/0RAqcCAKCqt6bNBfOHlqOYZIo6TXs0L0qt1gCbBJio
W7X45fODL7UYAHi+PBsCd+k=
=V4id
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users