Snort mailing list archives
RE: FlexResp and react keyword
From: Rob Collins <robtompc () yahoo com>
Date: Sat, 6 Oct 2001 18:19:04 -0700 (PDT)
I sent the last message off a little early. Played with it some more and got some more results. First off, got snort to read its own tcpdump binary output. It just takes 20 seconds for it to read through 39 packets, I was being too impatient before. :( Tcpdump (from www.tcpdump.org, version 3.14-10 that comes standard with Mandrake 7.2) still gives a parse error, maybe I need to upgrade tcpdump to read snort's output? Secondly, got another machine attached to a hub to the snort machine, and tested remotely. Internet Explorer is the web browser. client's ip is 192.168.1.1, snort's is 192.168.1.5. First, the rule: suspicious tcp any any -> 192.168.1.5 (flags: !R; react: block;) resets the connection. But the packet I see going 192.168.1.5:80->192.168.1.1:1100 and containing the snort webpage saying "You are not authorized to access this site!" doesn't make it to my browser (meaning I don't see that web page). It get's worse, simply clicking the Refresh button loads to web page (???). I can wait a minute before clicking the Refresh button and it still goes through. I see the packets go flying by in snort, and the web page on my browser. Click refresh again after a second or so of waiting and it produces a pop-up message saying connection was reset by peer (click too soon and the webpage just reloads). Snort reports it has dropped zero packets. If I manually telnet to port 80, connection gets dropped every time. Third, the rules on localhost still produce the same problems I reported earlier. On the plus side, the rule: suspicious any any -> 192.168.1.5 80 (msg "http attempt"; resp: rst_all;) works everytime. ===== --r "Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones __________________________________________________ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FlexResp and react keyword Rob Collins (Oct 06)
- <Possible follow-ups>
- Re: FlexResp and react keyword Rob Collins (Oct 06)
- RE: FlexResp and react keyword Rob Collins (Oct 06)
- Re: RE: FlexResp and react keyword Jason Haar (Oct 07)