Re: [Snort-users] Flexresp problems
This is a discussion on Re: [Snort-users] Flexresp problems within the Snort forums, part of the System Security and Security Related category; Are you saying that I should use --enable-flexresp instead of --enable-flexresp2? --enable-flexresp2 does not work for me ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-22-2008
|
|||
|
|||
Re: [Snort-users] Flexresp problems
Are you saying that I should use --enable-flexresp
instead of --enable-flexresp2? --enable-flexresp2 does not work for me with my configure options used. Some clarification would be helpful. Thanks, ZK --- Todd Wease <twease@sourcefire.com> wrote: > Rob, > > I just tested this and it seems to work fine with > the 2.8.0.1 tarball on > the snort.org site. Can you post the command line > you used to configure > Snort? The configure line I used was: > > $ ./configure --enable-pthread > --enable-linux-smp-stats > --enable-dynamicplugin --enable-sourcefire > --enable-gre > --enable-targetbased --enable-flexresp > > The rule I used was: > > alert tcp $HOME_NET any -> 192.168.0.2 80 (msg:"You > bastard"; > flow:to_server,established; content:"cmd.exe"; > nocase; > classtype:policy-violation; sid:100000001; rev:8; > react:block;) > > The snort.conf I used was the default one with the > above rule added at > the end of the file. > > The snort command line I used was (running from top > level of source tree): > > $ sudo ./src/snort -c ./etc/snort.conf.work -k none > -A cmg -i eth0 > > When I tried to use the url > "http://192.168.0.2/cmd.exe", I got an alert > as well as the flexresp react block page sent to my > browser. > > Also tried the resp rule: > > alert tcp $HOME_NET any -> 192.168.0.2 80 (msg:"You > bastard"; > flow:to_server,established; content:"cmd.exe"; > nocase; > classtype:policy-violation; sid:100000001; rev:8; > resp:rst_snd;) > > and I get a message sent to my browser that the > connection was reset. > > This was not tested on a Cent OS 5 machine, but a > Fedora Core 8 intel. > I downloaded libnet-1.0.2a.tar.gz and just did the > normal './configure > && make && sudo make install'. > > Thanks, > Todd > > > Ward, Rob wrote: > > I've installed with Flexresp and when I try to add > react:block; to a rule I get the message below, any > ideas please anyone? > > > > FATAL ERROR: Warning: > /etc/snort/rules/local.rules(1) => Unknown keyword ' > react' in rule! > > > > The rule syntax looks OK to me and I've used this > before without a problem. I'm running snort 2.8.0.1 > on Cent OS 5. > > > > The rule looks like this: > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 > (msg:"P2P napster login"; > flow:to_server,established; content:"|00 02 00|"; > depth:3; offset:1; classtype:policy-violation; > sid:549; rev:8; react:block;) > > > > > > Also with Flexresp in which file do you put your > variables i.e: > > > > # just stop the offender > > var RESP_TCP resp:rst_snd; > > > > I get the same error when I put this in snort.conf > and replace react:block; with $RESP_TCP in my rules. > I also get the same error with resp:rst_snd; in the > rules. > > > > Any help would be appreciated, thanks! > > > > Rob Ward > > Network Northwest Support > > University of Liverpool > > Computing Services Department > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by: Microsoft > > Defy all challenges. Microsoft(R) Visual Studio > 2008. > > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > _______________________________________________ > > Snort-users mailing list > > Snort-users@lists.sourceforge.net > > Go to this URL to change user options or > unsubscribe: > > > https://lists.sourceforge.net/lists/...fo/snort-users > > Snort-users list archive: > > > http://www.geocrawler.com/redir-sf.p...st=snort-users > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio > 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or > unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > __________________________________________________ __________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i...Dypao8Wcj9tAcJ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
