Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with resp

From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 22 May 2001 11:21:06 -0700
In most people's experience, the spoofed packets generated by Snort to
close the connection does not get sent out in time.  The true packets
get transmitted, then the spoofed packets stumble in with out-of-order
sequence numbers.  So, the connection is not reset.  I have heard that
libpcap is the bottleneck, and there is not really an easy way to solve
this.

Perhaps someone else can elaborate more.

-Joe M.

-- 
|   Joe McAlerney     joey () silicondefense com   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

"Andrew J. Bostaph" wrote:


I have attempted to utilize FlexResp, but when I do nothing happens.  At
all.  I have modifies the rules I want resp on, but when I run snort, no
scans are detected, and no resp is generated.  When I go back to the
original scan.rules, it logs scans fine.  Here is a sample of the rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (resp: rst_all; msg:"SCAN
Proxy attempt";flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (resp: rst_all; msg:"SCAN
Proxy attempt";flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (resp: rst_all; msg:"INFO
- Possible Squid Scan"; flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (resp: rst_all; msg:
"SCAN - portmap listing 32771"; flags: A+; rpc: 100000,*,*;
reference:arachnids,429;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN -
wayboard request - allows reading of arbitrary files as http service";
content:"way-board"; nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN -
palscgi request - allows reading of arbitrary files as http service";
content:"pals-cgi"; nocase;)

Is my syntax incorrect?

Info:

Compaq P-166
128 MB RAM
100 MB Linksys NIC
RH 7.1
Snort 1.7

Thanks,

Boa


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: