Re: [Snort-users] Flexresp problems

Hi all, thanks for the suggestions.

I rebuilt from scratch on CentOS 5 with Snort 2.8.0.2 using:

../configure --with-mysql --enable-dynamicplugin --enable-react

react:block; now works without issue!

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department

> -----Original Message-----
> From: Todd Wease [mailto:twease@sourcefire.com]
> Sent: 21 February 2008 13:40
> To: Ward, Rob
> Cc: snort-users@lists.sourceforge.net
> Subject: Re: [Snort-users] Flexresp problems
>
> Rob,
>
> I just tested this and it seems to work fine with the 2.8.0.1 tarball on
> the snort.org site. Can you post the command line you used to configure
> Snort? The configure line I used was:
>
> $ ./configure --enable-pthread --enable-linux-smp-stats
> --enable-dynamicplugin --enable-sourcefire --enable-gre
> --enable-targetbased --enable-flexresp
>
> The rule I used was:
>
> alert tcp $HOME_NET any -> 192.168.0.2 80 (msg:"You bastard";
> flow:to_server,established; content:"cmd.exe"; nocase;
> classtype:policy-violation; sid:100000001; rev:8; react:block;)
>
> The snort.conf I used was the default one with the above rule added at
> the end of the file.
>
> The snort command line I used was (running from top level of source tree):
>
> $ sudo ./src/snort -c ./etc/snort.conf.work -k none -A cmg -i eth0
>
> When I tried to use the url "http://192.168.0.2/cmd.exe", I got an alert
> as well as the flexresp react block page sent to my browser.
>
> Also tried the resp rule:
>
> alert tcp $HOME_NET any -> 192.168.0.2 80 (msg:"You bastard";
> flow:to_server,established; content:"cmd.exe"; nocase;
> classtype:policy-violation; sid:100000001; rev:8; resp:rst_snd;)
>
> and I get a message sent to my browser that the connection was reset.
>
> This was not tested on a Cent OS 5 machine, but a Fedora Core 8 intel.
> I downloaded libnet-1.0.2a.tar.gz and just did the normal './configure
> && make && sudo make install'.
>
> Thanks,
> Todd
>
>
> Ward, Rob wrote:
> > I've installed with Flexresp and when I try to add react:block; to a
> rule I get the message below, any ideas please anyone?
> >
> > FATAL ERROR: Warning: /etc/snort/rules/local.rules(1) => Unknown keyword
> ' react' in rule!
> >
> > The rule syntax looks OK to me and I've used this before without a
> problem. I'm running snort 2.8.0.1 on Cent OS 5.
> >
> > The rule looks like this:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login";
> flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1;
> classtype:policy-violation; sid:549; rev:8; react:block;)
> >
> >
> > Also with Flexresp in which file do you put your variables i.e:
> >
> > # just stop the offender
> > var RESP_TCP resp:rst_snd;
> >
> > I get the same error when I put this in snort.conf and replace
> react:block; with $RESP_TCP in my rules. I also get the same error with
> resp:rst_snd; in the rules.
> >
> > Any help would be appreciated, thanks!
> >
> > Rob Ward
> > Network Northwest Support
> > University of Liverpool
> > Computing Services Department
> >
> > ------------------------------------------------------------------------
> -
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/...fo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.p...st=snort-users


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users