Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Why the tag option and resp neither works!

From: soldier Mx <soldi3rmx () yahoo com mx>
Date: Thu, 22 Jan 2004 01:25:26 -0600 (CST)
Hi guys!

im trying to add to the rule of ftp shadow retrieval
attempt the option of tag... and doesnt works!!
WELL it works, it shows the alert, but doesnt show the
printable session of 5 seconds,, just the alert.
what im doing wrong ??
what i added was:

tag:session,5,seconds;

means to capture 5 seconds of the session of the
atacker.. or the intruder..


alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP
shadow retrieval attempt"; flow:to_server,established;
content:"RETR"; nocase; content:"shadow"; tag:
session,5,seconds;lasstype:suspicious-filename-detect;
sid:1928; rev:3;)

also i want to add to disconect to him
doing

req:rst_all;

but if doesnt work the first option, less req..

Well suggestions ?? what am i doing wrong ???

[**] [1:1928:3] FTP shadow retrieval attempt [**]
        [Priority: 0]
        01/20-02:58:22.289400 207.248.44.250:13027 ->
10.17.112.20:21
        TCP TTL:55 TOS:0x0 ID:63030 IpLen:20 DgmLen:65
DF
        ***AP*** Seq: 0x2CB06FB3  Ack: 0x88FA22FA 
Win: 0x16D0  TcpLen: 32
        TCP Options (3) => NOP NOP TS: 6115274
241071306

Just detect the alert, but not capture the Printable
session

maybe should i try
session:printable ??

What to do :P

thanks in advance!



_________________________________________________________
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: