Snort mailing list archives
Re: Flex but no response ....
From: Joe McAlerney <joey () SiliconDefense com>
Date: Tue, 15 Jan 2002 15:22:04 -0800
You might want to try sniffing the line with tcpdump or snort -v to see if the spoofed ICMP message is actually being sent. Most people using flex resp on a speedy network (I.E, one that does not have the latency inherent on the Internet) will find that while the spoofed packet is being created, the actual one makes it back to the sender. There's more on this in the archives. HTH, -Joe M. -- Joe McAlerney Software Developer / Security Consultant joey () SiliconDefense com Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/ skill2die4 wrote:
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= snort and related utilities version numbers : libnet-1.0.2a-1snort.i386.rpm libnet.tar.gz (1.0.2a) libpcap (0.6) snort -1.8.3 (built 88) [configured option=flexResp] snort-plain+flexresp.1.8.3-5-i386.rpm +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= scenario : ----------- 10.0.0.3 --- pings to ---> 10.0.0.3 rule file :: -------------- flexRESP.rules alert icmp 10.0.0.3 any ---> any any (msg:"Not allowed";resp:icmp_host;) snort activation ------------------- snort -A full -c flexRESP.rules Observation ------------- a. snort intialization reads --> 1 snort rules read .... 1 option chain linked into 1 chain header 0 dynamic rules b. the PING from 10.0.0.3 works and gets back a result from 10.0.0.2; snort only WRITES to the ALERT file I tried using the REACT with "TCP && BLOCK , MSG" options and telnet from 10.0.0.3,the connect was refused ... however i didnt got any VISIBLE BLOCK MESSAGE from the other side. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flex Response woes Cody Hatch (Jan 15)
- Flex but no response .... skill2die4 (Jan 15)
- Re: Flex but no response .... Joe McAlerney (Jan 15)
- Flex but no response .... skill2die4 (Jan 15)