Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: FlexResp and react keyword

From: Rob Collins <robtompc () yahoo com>
Date: Sat, 6 Oct 2001 18:19:04 -0700 (PDT)
I sent the last message off a little early.  Played
with it some more and got some more results.

First off, got snort to read its own tcpdump binary
output.  It just takes 20 seconds for it to read
through 39 packets, I was being too impatient before. 
:(  Tcpdump (from www.tcpdump.org, version 3.14-10
that comes standard with Mandrake 7.2) still gives a
parse error, maybe I need to upgrade tcpdump to read
snort's output?

Secondly, got another machine attached to a hub to the
snort machine, and tested remotely. Internet Explorer
is the web browser.  client's ip is 192.168.1.1,
snort's is 192.168.1.5.
First, the rule:
suspicious tcp any any -> 192.168.1.5 (flags: !R;
react: block;)
resets the connection.  But the packet I see going
192.168.1.5:80->192.168.1.1:1100 and containing the
snort webpage saying "You are not authorized to access
this site!" doesn't make it to my browser (meaning I
don't see that web page).  
It get's worse, simply clicking the Refresh button
loads to web page (???).  I can wait a minute before
clicking the Refresh button and it still goes through.
 I see the packets go flying by in snort, and the web
page on my browser.  Click refresh again after a
second or so of waiting and it produces a pop-up
message saying connection was reset by peer (click too
soon and the webpage just reloads).

Snort reports it has dropped zero packets.

If I manually telnet to port 80, connection gets
dropped every time.


Third, the rules on localhost still produce the same
problems I reported earlier.

On the plus side, the rule:
suspicious any any -> 192.168.1.5 80 (msg "http
attempt"; resp: rst_all;)
works everytime.

=====
--r
"Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones

__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: