Snort mailing list archives
flexible response broken?
From: "Nathan W. Labadie" <ab0781 () wayne edu>
Date: Sun, 4 Nov 2001 11:36:41 -0500
I've been playing around with snort-1.8.2 and flexible response does not seem to be working. I have both versions of snort configured with the following options: ./configure --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-flexresp --with-mysql --with-openssl I have the following rule as my test rule: pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS cmd.exe access (FlexRsp)"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;) This should "silently" kill any incoming requests for cmd.exe. When testing the rule with snort-1.8.1 I get the following: [root@scanner src]# wget http://xxx.xxx.xxx.xxx/cmd.exe --11:37:19-- http://xxx.xxx.xxx.xxx/cmd.exe => `cmd.exe' Connecting to xxx.xxx.xxx.xxx:80... connected! HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers. Retrying. The "Connection reset by peer" indicates that the connection was correctly terminated. When testing with snort-1.8.2, I get the following: [root@scanner src]# wget http://xxx.xxx.xxx.xxx/cmd.exe --11:41:15-- http://xxx.xxx.xxx.xxx/cmd.exe => `cmd.exe' Connecting to xxx.xxx.xxx.xxx:80... connected! HTTP request sent, awaiting response... 404 Not Found 11:41:15 ERROR 404: Not Found. Even though there's a "404: Not Found", the connection was completed successfully. Any idea why it seems to be working in snort-1.8.1 and not snort-1.8.2? Thanks, Nate -- Nathan W. Labadie | ab0781 () wayne edu Sr. Security Specialist | 313/577.2126 Wayne State University | 313/577.5626 fax C&IT Security Office: http://security.wayne.edu _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexible response broken? Nathan W. Labadie (Nov 04)
- Re: flexible response broken? Nathan W. Labadie (Nov 04)