Snort mailing list archives
Re: Snort+flexresp
From: Jeff Nathan <jeff () snort org>
Date: Mon, 01 Apr 2002 13:40:25 -0800
Onie Camara wrote:
Hi Bamm, It worked when I modified resp:rst_all. I placed a space after resp: But flex-resp, from my testing, only sometimes kill my tcp session. alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP access from anonymous"; flags:!R ; resp: rst_all;content:"anonymous"; classtype:not-suspicious; sid:1717; rev:2;) So when i ftp to somewhere from the commandline, right after pressing Enter key on the anonymous entry on username, I get disconnected. I got impressed with that. But I tried it again, it allowed me to login. I tried both rst_all and rst_snd, same behavior. So looks like, flex-resp code is not ready for production.
To address this, I'd have to actually see some packet dumps. Otherwise this is just a shot over our collective bows. If it's a bug, please submit it by referencing BUGS. -Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)
- Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Anton A. Chuvakin (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)
- Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)