Bluehost.com Web Hosting $6.95

RE: [Snort-users] flexresp2 is back and needs testing

This is a discussion on RE: [Snort-users] flexresp2 is back and needs testing within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C48EA7.164DA33D Content-Type: text/plain; charset="iso-8859-...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page RE: [Snort-users] flexresp2 is back and needs testing

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-30-2004
pfeito
 
Posts: n/a
Default RE: [Snort-users] flexresp2 is back and needs testing
This is a multi-part message in MIME format.

------_=_NextPart_001_01C48EA7.164DA33D
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Here it goes Jeff,=20

I made a new pcap, this time with a "reset_dest" rule. It didnt work =
also. Cant think of anything that could be wrong :\

The pcap was captured on the FTP (212.22.xx.xx). The remote client is =
the 193.xx.xx.xx.

Thanks again!

-pfeito

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pfeito,

I'd like for you to try two things. First, try using only reset_dest
in your rule. Second, can you send me the pcap dump so I can take a
look at it?

The pcap dump I'm interested in will come from the FTP server. I want
to see all the packets from connection establishment to sp_respond2
firing the response packets.

- -Jeff

On Aug 30, 2004, at 7:05 AM, pfeito wrote:

> Hi,
>
> I'm currently testing flexresp2. For now I'm just using a simple rule
> that
> terminates a FTP connection if someone tries to login with user =
"root".
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP root login
> attempt!";
> flow:to_server,established; content:"USER"; nocase; content:"root";
> distance:1; nocase; pcre:"/^USER\sroot/smi";
> classtype:suspicious-login;
> sid:1000002; rev:2; resp: reset_both;)
>
> I try to login remotely with user root, but the connection does not
> terminate. I sniffed with tcpdump and I know that it the TCP RST
> packets are
> being sent, but the connection stays up.
>
> Then I tried the same but with both peers on the same LAN, but with
> the same
> results. The TCP RST packets are being sent also.
>
> I've tcpdump logs if someone is interested in looking into them.
>
> My snort.conf-flexresp2 config
> config flexresp2_interface: eth2
> config flexresp2_attempts: 10
>
> What could be going wrong?
>
> Thanks in advance,
> -pfeito
>
>
>
>> -----Original Message-----
>> From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-
>> admin@lists.sourceforge.net] On Behalf Of Jeff Nathan
>> Sent: segunda-feira, 26 de Julho de 2004 1:33
>> To: snort-users@lists.sourceforge.net
>> Subject: [Snort-users] flexresp2 is back and needs testing
>>
>> Hi Snortees,
>>
>> I've got a new version of the flexible response code, sp_respond2,
>> ready for testing. This new version uses libdnet
>> (http://libdnet.sourceforge.net) and is significantly faster than all
>> previous versions. During testing I was able to reset TCP =
connections
>> where both the client and server were on the same LAN.
>>
>> The patch is attached to this message but if you'd like to download
>> it,
>> it's also available from
>>
>> http://cerberus.sourcefire.com/~jeff...t/sp_respond2/
>>
>> If you encounter any problems with the attached patch, refer to the
>> website for an update before sending email.
>>
>> It's most helpful if you're somewhat experienced with Snort. For the
>> time being I'd like to avoid tutoring users during testing.
>
>
>
>

- --
http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD)
"Great spirits have always encountered violent opposition from
mediocre minds." - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBMz1YEqr8+Gkj0/0RAqcCAKCqt6bNBfOHlqOYZIo6TXs0L0qt1gCbBJio
W7X45fODL7UYAHi+PBsCd+k=3D
=3DV4id
-----END PGP SIGNATURE-----




------_=_NextPart_001_01C48EA7.164DA33D
Content-Type: application/octet-stream;
name="reset_dest.pcap"
Content-Transfer-Encoding: base64
Content-Description: reset_dest.pcap
Content-Disposition: attachment;
filename="reset_dest.pcap"

1MOyoQIABAAAAAAAAAAAAGAAAAABAAAAiEQzQaHjCgBKAAAASg AAAABQ/CuQdAAC/IJ4qAgARQAA
PHrmQAAzBhBvwYg+A9UW58SP9gAV8rE78QAAAACgAhbQOTgAAA IEBbQEAggKO9JBFwAAAAABAwMA
iEQzQYDkCgBKAAAASgAAAAAC/IJ4qABQ/CuQdAgARQAAPAAAQABABn5V1RbnxMGIPgMAFY/20AeV
0PKxO/KgEhagja0AAAIEBbQEAggKACVFrDvSQRcBAwMAiEQzQbA1DABC AAAAQgAAAABQ/CuQdAAC
/IJ4qAgARQAANHrnQAAzBhB2wYg+A9UW58SP9gAV8rE78tAHldG AEAW0zVUAAAEBCAo70kEgACVF
rIlEM0GWWwEAYAAAAIoAAAAAAvyCeKgAUPwrkHQIAEUAAHzQZU AAQAatr9UW58TBiD4DABWP9tAH
ldHysTvygBgWoBg6AAABAQgKACVF0TvSQSAyMjAgQmV3YXJlIS BZb3UncmUgZW50ZXJpbmcgcGaJ
RDNB8gEDAEIAAABCAAAAAFD8K5B0AAL8gnioCABFAAA0euhAAD MGEHXBiD4D1RbnxI/2ABXysTvy
0AeWGYAQFtC7pQAAAQEICjvSQUcAJUXRjEQzQRJSBwBNAAAATQ AAAABQ/CuQdAAC/IJ4qAgARQAA
P3rpQAAzBhBpwYg+A9UW58SP9gAV8rE78tAHlhmAGBbQEbYAAA EBCAo70kKPACVF0VVTRVIgcm9v
dA0KjEQzQedSBwBCAAAAQgAAAAAC/IJ4qABQ/CuQdAgARQAANNBmQABABq321RbnxMGIPgMAFY/2
0AeWGfKxO/2AEBaguS8AAAEBCAoAJUckO9JCj4xEM0ESVQcANgAAADYAAAAA UPwrkHQAAvyCeKgI
AEUAACi4iQAAQAYF4MGIPgPVFufEj/YAFfKxO/LQB5YkUBTQFv52AACMRDNBJlUHADYAAAA2AAAA
AFD8K5B0AAL8gnioCABFAAAoiaYAAEAGNMPBiD4D1RbnxI/2ABXysTvy0Af+L1AU0BaWawAAjEQz
QW9VBwA2AAAANgAAAABQ/CuQdAAC/IJ4qAgARQAAKKYOAABABhhbwYg+A9UW58SP9gAV8rE78tAI
ZjpQFNAWLmAAAIxEM0F+VQcANgAAADYAAAAAUPwrkHQAAvyCeK gIAEUAACgOxwAAQAavosGIPgPV
FufEj/YAFfKxO/LQCM5FUBTQFsZUAACMRDNB9VUHADYAAAA2AAAAAFD8K5B0AAL8 gnioCABFAAAo
x6kAAEAG9r/BiD4D1RbnxI/2ABXysTvy0Ak2UFAU0BZeSQAAjEQzQTxWBwA2AAAANgAAAABQ/CuQ
dAAC/IJ4qAgARQAAKKkuAABABhU7wYg+A9UW58SP9gAV8rE78tAJnlt QFNAW9j0AAIxEM0FLVgcA
NgAAADYAAAAAUPwrkHQAAvyCeKgIAEUAACguLAAAQAaQPcGIPg PVFufEj/YAFfKxO/LQCgZmUBTQ
Fo4yAACMRDNBllYHADYAAAA2AAAAAFD8K5B0AAL8gnioCABFAA AoLJkAAEAGkdDBiD4D1RbnxI/2
ABXysTvy0ApucVAU0BYmJwAAjEQzQaVWBwA2AAAANgAAAABQ/CuQdAAC/IJ4qAgARQAAKJkvAABA
BiU6wYg+A9UW58SP9gAV8rE78tAK1nxQFNAWvhsAAIxEM0HoVg cANgAAADYAAAAAUPwrkHQAAvyC
eKgIAEUAACgvuQAAQAaOsMGIPgPVFufEj/YAFfKxO/LQCz6HUBTQFlYQAACMRDNB+VYHADYAAAA2
AAAAAAL8gnioAFD8K5B0CABFAAAouQ4AAEAGBVvVFufEwYg+Aw AVj/bQB5YZ8rE7/VAU0Bb+dgAA
jEQzQTxXBwA2AAAANgAAAAAC/IJ4qABQ/CuQdAgARQAAKA4xAABABrA41RbnxMGIPgMAFY/20AeW
GfKxpAhQFNAWlmsAAIxEM0FLVwcANgAAADYAAAAAAvyCeKgAUP wrkHQIAEUAACgxzAAAQAaMndUW
58TBiD4DABWP9tAHlhnysgwTUBTQFi5gAACMRDNBjlcHADYAAA A2AAAAAAL8gnioAFD8K5B0CABF
AAAozHYAAEAG8fLVFufEwYg+AwAVj/bQB5YZ8rJ0HlAU0BbGVAAAjEQzQbtXBwA2AAAANgAAAAAC
/IJ4qABQ/CuQdAgARQAAKHa3AABABkey1RbnxMGIPgMAFY/20AeWGfKy3ClQFNAWXkkAAIxEM0HL
VwcANgAAADYAAAAAAvyCeKgAUPwrkHQIAEUAACi3cAAAQAYG+d UW58TBiD4DABWP9tAHlhnys0Q0
UBTQFvY9AACMRDNBDlgHADYAAAA2AAAAAAL8gnioAFD8K5B0CA BFAAAocFIAAEAGThfVFufEwYg+
AwAVj/bQB5YZ8rOsP1AU0BaOMgAAjEQzQR1YBwA2AAAANgAAAAAC/IJ4qABQ/CuQdAgARQAAKFKm
AABABmvD1RbnxMGIPgMAFY/20AeWGfK0FEpQFNAWJicAAIxEM0FfWAcANgAAADYAAAAAAvyCe KgA
UPwrkHQIAEUAACimlAAAQAYX1dUW58TBiD4DABWP9tAHlhnytH xVUBTQFr4bAACMRDNBb1gHADYA
AAA2AAAAAAL8gnioAFD8K5B0CABFAAAolLEAAEAGKbjVFufEwY g+AwAVj/bQB5YZ8rTkYFAU0BZW
EAAAjEQzQbNYBwA2AAAANgAAAABQ/CuQdAAC/IJ4qAgARQAAKLGMAABABgzdwYg+A9UW58SP9gAV
8rE78tAHliRQFNAW/nYAAIxEM0HDWAcANgAAADYAAAAAUPwrkHQAAvyCeKgIAEUAACi MEgAAQAYy
V8GIPgPVFufEj/YAFfKxO/LQB/4vUBTQFpZrAACMRDNBCVkHADYAAAA2AAAAAFD8K5B0AAL8gnio
CABFAAAoEr4AAEAGq6vBiD4D1RbnxI/2ABXysTvy0AhmOlAU0BYuYAAAjEQzQRlZBwA2AAAANgAA
AABQ/CuQdAAC/IJ4qAgARQAAKL5YAABABgARwYg+A9UW58SP9gAV8rE78tAIzkV QFNAWxlQAAIxE
M0FbWQcANgAAADYAAAAAUPwrkHQAAvyCeKgIAEUAAChY1wAAQA ZlksGIPgPVFufEj/YAFfKxO/LQ
CTZQUBTQFl5JAACMRDNBa1kHADYAAAA2AAAAAFD8K5B0AAL8gn ioCABFAAAo1zUAAEAG5zPBiD4D
1RbnxI/2ABXysTvy0AmeW1AU0Bb2PQAAjEQzQchZBwA2AAAANgAAAABQ/CuQdAAC/IJ4qAgARQAA
KDW3AABABoiywYg+A9UW58SP9gAV8rE78tAKBmZQFNAWjjIAAI xEM0HYWQcANgAAADYAAAAAUPwr
kHQAAvyCeKgIAEUAACi3nQAAQAYGzMGIPgPVFufEj/YAFfKxO/LQCm5xUBTQFiYnAACMRDNBHFoH
ADYAAAA2AAAAAFD8K5B0AAL8gnioCABFAAAona8AAEAGILrBiD 4D1RbnxI/2ABXysTvy0ArWfFAU
0Ba+GwAAjEQzQUxaBwA2AAAANgAAAABQ/CuQdAAC/IJ4qAgARQAAKK+vAABABg66wYg+A9UW58SP
9gAV8rE78tALPodQFNAWVhAAAIxEM0GVXAcAYAAAAGQAAAAAAv yCeKgAUPwrkHQIAEUAAFbQZ0AA
QAat09UW58TBiD4DABWP9tAHlhnysTv9gBgWoHHjAAABAQgKAC VHJTvSQo8zMzEgUGxlYXNlIHNw
ZWNpZnkgdGhlIHBhc3N3b3KMRDNBuZ8LAGAAAABkAAAAAAL8gn ioAFD8K5B0CABFAABW0GhAAEAG
rdLVFufEwYg+AwAVj/bQB5YZ8rE7/YAYFqBxxwAAAQEICgAlR0E70kKPMzMxIFBsZWFzZSBzcGVj
aWZ5IHRoZSBwYXNzd29yjUQzQeZuAwBCAAAAQgAAAABQ/CuQdAAC/IJ4qAgARQAANHrrQAAzBhBy
wYg+A9UW58SP9gAV8rE7/dAHljuAEBbQuHYAAAEBCAo70kLZACVHQZhEM0EevQ4AVgAAAFY AAAAA
UPwrkHQAAvyCeKgIAEUAAEh67EAAMwYQXcGIPgPVFufEj/YAFfKxO/3QB5Y7gBgW0FZVAAABAQgK
O9JHcAAlR0FQQVNTIGJsYW5rc2RmanNrZGYNCplEM0HcBgAAQg AAAEIAAAAAAvyCeKgAUPwrkHQI
AEUAADTQaUAAQAat89UW58TBiD4DABWP9tAHljvysTwRgBAWoK 8zAAABAQgKACVMCTvSR3CcRDNB
Q1ECAFgAAABYAAAAAAL8gnioAFD8K5B0CABFAABK0GpAAEAGrd zVFufEwYg+AwAVj/bQB5Y78rE8
EYAYFqAAogAAAQEICgAlTUQ70kdwNTMwIExvZ2luIGluY29ycm VjdC4NCpxEM0Eg2QgAQgAAAEIA
AAAAUPwrkHQAAvyCeKgIAEUAADR67UAAMwYQcMGIPgPVFufEj/YAFfKxPBHQB5ZRgBAW0KxJAAAB
AQgKO9JI2QAlTUScRDNBf9kIAEgAAABIAAAAAFD8K5B0AAL8gn ioCABFAAA6eu5AADMGEGnBiD4D
1RbnxI/2ABXysTwR0AeWUYAYFtD4gwAAAQEICjvSSNkAJU1EU1lTVA0Kn EQzQenZCABCAAAAQgAA
AAAC/IJ4qABQ/CuQdAgARQAANNBrQABABq3x1RbnxMGIPgMAFY/20AeWUfKxPBeAEBagrEkAAAEB
CAoAJU1uO9JI2ZxEM0E53AgAYAAAAGgAAAAAAvyCeKgAUPwrkH QIAEUAAFrQbEAAQAatytUW58TB
iD4DABWP9tAHllHysTwXgBgWoEcAAAABAQgKACVNbjvSSNk1Mz AgUGxlYXNlIGxvZ2luIHdpdGgg
VVNFUiBhbmScRDNBYnIMAEIAAABCAAAAAFD8K5B0AAL8gnioCA BFAAA0eu9AADMGEG7BiD4D1Rbn
xI/2ABXysTwX0AeWd4AQFtCr2wAAAQEICjvSSPEAJU1uoEQzQaTYB gBIAAAASAAAAABQ/CuQdAAC
/IJ4qAgARQAAOnrwQAAzBhBnwYg+A9UW58SP9gAV8rE8F9AHlne AGBbQAq8AAAEBCAo70kpcACVN
blFVSVQNCqBEM0Ee2wYAUAAAAFAAAAAAAvyCeKgAUPwrkHQIAE UAAELQbUAAQAat4dUW58TBiD4D
ABWP9tAHlnfysTwdgBgWoLopAAABAQgKACVO8TvSSlwyMjEgR2 9vZGJ5ZS4NCqBEM0G23gYAQgAA
AEIAAAAAAvyCeKgAUPwrkHQIAEUAADTQbkAAQAat7tUW58TBiD 4DABWP9tAHloXysTwdgBEWoKkI
AAABAQgKACVO8TvSSlygRDNB1ZsJAEIAAABCAAAAAFD8K5B0AA L8gnioCABFAAA0evFAADMGEGzB
iD4D1RbnxI/2ABXysTwd0AeWhYAQFtCoxwAAAQEICjvSSm4AJU7xoEQzQUScC QBCAAAAQgAAAABQ
/CuQdAAC/IJ4qAgARQAANHryQAAzBhBrwYg+A9UW58SP9gAV8rE8HdAHloW AERbQqMYAAAEBCAo7
0kpuACVO8aBEM0ESnQkAQgAAAEIAAAAAAvyCeKgAUPwrkHQIAE UAADTQb0AAQAat7dUW58TBiD4D
ABWP9tAHlobysTwegBAWoKjjAAABAQgKACVPAzvSSm6gRDNBhN kJAEIAAABCAAAAAFD8K5B0AAL8
gnioCABFAAA0evNAADMGEGrBiD4D1RbnxI/2ABXysTwe0AeWhoAQFtCowwAAAQEICjvSSnAAJU7x

------_=_NextPart_001_01C48EA7.164DA33D--


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 03:55 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0