Repost: resp:rst_all not working

[Venkata Raghavan <dvrnews () yahoo co in>]

Hi all

 
I posted this some time back but did not get a reply. So I am reposting in the hope of getting help.

I recently installed snort 2.1.1 following Patrick Harper's guide on a RH 9 with mysql and acid. I was able to complete 
the install and snort and acid work great.  
Since I also want to be able to reset connections as well, I reran ./configure with the flexresp option and this too 
I've got working.   
To test if this works I added the following to smtp.rules 
alert tcp any any -> $HOME_NET 25 (msg:"SMTP Rule Testing"; flow:to_server,established; content:"test"; nocase;resp: 
rst_all;)
After this, when I lauch an telnet (port 25) session to an SMTP server from my  windows client, the alert gets 
generated. But there is no reset. Then I tried the 
telnet from a linux PC - this time it gets reset.  
WHen I check the packets sent using ethereal, I observe that whereas from a windows PC the data "test" comes as four 
packets, from a linux PC "test" comes as a data of 
single packet. I guess this is a problem with the WinXP version of Telnet  client. What should I do to make snort see 
all of them as a single session. 
 
Should I try streams or something. If so can somebody guide me to a resource about 
that.  
It surprises me that the alert should fire but the resp: action is not carried out.
 
 
Regards
Venkat



Yahoo! India Insurance Special: Be informed on the best policies, services, tools and more.