Snort mailing list archives
Re: win32 snort (resp + react)
From: Rich Adamson <radamson () routers com>
Date: Sun, 6 Jul 2003 13:13:49 -0600
Jon,
im attempting 2 simple rules as a test (on win32 port): alert tcp $HOME any -> any 80 (msg: "Port 80"; resp: rst_snd;) alert tcp $HOME any -> any 81 (msg: "Port 81"; react: block;) the first one tells me that resp is a bad keyword.
The Win32 executable that Jeff sent all of us for testing had a bug in it that kept "resp:" from being recognized as a keyword. After he corrected that, I also noticed the keyword had no impact (eg, rst_snd was not sent).
the second actually can have block, warn, msg ... but on an outgoing connection nothing really happens. im expecting snort to kill the connection and not allow a request through (but the laptop still gets the content). am i missing something?
Not missing a thing. Jeff was going to debug the code this weekend. If his weekend is/was as busy as mine, it will probably be a few days before we hear anything. Rich ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- win32 snort (resp + react) Jon Baer (Jul 06)
- Re: win32 snort (resp + react) Rich Adamson (Jul 06)
- Re: win32 snort (resp + react) Jeff Nathan (Jul 07)
- Re: win32 snort (resp + react) Rich Adamson (Jul 06)