Re: Snort+flexresp

[Jeff Nathan <jeff () snort org>]

Onie Camara wrote:
> Hi Bamm,
>
> It worked when I modified resp:rst_all.  I placed a space after resp:
>
> But flex-resp, from my testing, only sometimes kill my tcp session.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP access from
> anonymous"; flags:!R ; resp: rst_all;content:"anonymous";
> classtype:not-suspicious; sid:1717; rev:2;)
>
> So when i ftp to somewhere from the commandline, right after pressing Enter
> key on the anonymous entry on username,
> I get disconnected. I got impressed with that. But I tried it again, it
> allowed me to login.
>
> I tried both rst_all and rst_snd, same behavior.
>
> So looks like, flex-resp code is not ready for production.

To address this, I'd have to actually see some packet dumps.  Otherwise
this is just a shot over our collective bows.  

If it's a bug, please submit it by referencing BUGS.

-Jeff


-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users