Snort mailing list archives
Re: Problem with resp
From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 22 May 2001 11:21:06 -0700
In most people's experience, the spoofed packets generated by Snort to close the connection does not get sent out in time. The true packets get transmitted, then the spoofed packets stumble in with out-of-order sequence numbers. So, the connection is not reset. I have heard that libpcap is the bottleneck, and there is not really an easy way to solve this. Perhaps someone else can elaborate more. -Joe M. -- | Joe McAlerney joey () silicondefense com | | Silicon Defense - Technical Support for Snort | | http://www.silicondefense.com/ | +-- --+ "Andrew J. Bostaph" wrote:
I have attempted to utilize FlexResp, but when I do nothing happens. At all. I have modifies the rules I want resp on, but when I run snort, no scans are detected, and no resp is generated. When I go back to the original scan.rules, it logs scans fine. Here is a sample of the rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (resp: rst_all; msg:"SCAN Proxy attempt";flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (resp: rst_all; msg:"SCAN Proxy attempt";flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (resp: rst_all; msg:"INFO - Possible Squid Scan"; flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (resp: rst_all; msg: "SCAN - portmap listing 32771"; flags: A+; rpc: 100000,*,*; reference:arachnids,429;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN - wayboard request - allows reading of arbitrary files as http service"; content:"way-board"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN - palscgi request - allows reading of arbitrary files as http service"; content:"pals-cgi"; nocase;) Is my syntax incorrect? Info: Compaq P-166 128 MB RAM 100 MB Linksys NIC RH 7.1 Snort 1.7 Thanks, Boa
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with resp Andrew J. Bostaph (May 18)
- Re: Problem with resp Joe McAlerney (May 22)
- Re: Problem with resp Bamm Visscher (May 24)
- Re: Problem with resp Dragos Ruiu (May 22)
- Re: Problem with resp Joe McAlerney (May 22)