Snort mailing list archives

Re: Flex Resp Problems

From: Jeff Nathan <jeff () snort org>
Date: Wed, 14 Aug 2002 23:46:17 -0700

No.

You need to be running snort as root to open a raw socket within yourrunning OS.


-Jeff

--On Wednesday, August 14, 2002 22:49:56 -0400 Owen Creger<OCreger () CreativeSolutions com> wrote:

Running on RH 7.2
I have installed the RPM's:
snort-1.8.7-1snort
snort-mysql+flexresp-1.8.7-1snort

I want to change the rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
cmd.exe access"; flags:A+; content:"cmd.exe"; nocase;
classtype:web-application-attack; sid:1002;  rev:5;)

to:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
cmd.exe access"; resp:rst_all; flags:A+; content:"cmd.exe"; nocase;
classtype:web-application-attack; sid:1002;  rev:5;)

When I restart Snort I get the error:
FATAL ERROR: ERROR: cannot open raw socket for libnet, exiting...
I have perl-libnet-1.0703-6 installed.

What am I missing?
Do I need a different version of Libnet?

Owen C. Creger CCNA, CISSP
Info. Sec. Administrator
Creative Solutions, a Thomson Company.
7322 Newman Blvd.
Dexter, MI  48130
email: ocreger () creativesolutions com
ph: 734-426-5860 ex. 3787
fax: 734-426-5946
cell: 734-223-6270


Owen C. Creger CCNA, CISSP
Info. Sec. Administrator
Creative Solutions, a Thomson Company.
7322 Newman Blvd.
Dexter, MI  48130
email: ocreger () creativesolutions com
ph: 734-426-5860 ex. 3787
fax: 734-426-5946
cell: 734-223-6270



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
http://www.snort.org/~jeff       (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- Albert Einstein

Attachment: _bin
Description:

Current thread:

Flex Resp Problems Owen Creger (Aug 14)
- Missing port number in alert file. SW (Aug 14)
  - Re: Missing port number in alert file. Matt Kettler (Aug 15)
- Re: Flex Resp Problems Jeff Nathan (Aug 15)