Snort mailing list archives
Why the tag option and resp neither works!
From: soldier Mx <soldi3rmx () yahoo com mx>
Date: Thu, 22 Jan 2004 01:25:26 -0600 (CST)
Hi guys! im trying to add to the rule of ftp shadow retrieval attempt the option of tag... and doesnt works!! WELL it works, it shows the alert, but doesnt show the printable session of 5 seconds,, just the alert. what im doing wrong ?? what i added was: tag:session,5,seconds; means to capture 5 seconds of the session of the atacker.. or the intruder.. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; tag: session,5,seconds;lasstype:suspicious-filename-detect; sid:1928; rev:3;) also i want to add to disconect to him doing req:rst_all; but if doesnt work the first option, less req.. Well suggestions ?? what am i doing wrong ??? [**] [1:1928:3] FTP shadow retrieval attempt [**] [Priority: 0] 01/20-02:58:22.289400 207.248.44.250:13027 -> 10.17.112.20:21 TCP TTL:55 TOS:0x0 ID:63030 IpLen:20 DgmLen:65 DF ***AP*** Seq: 0x2CB06FB3 Ack: 0x88FA22FA Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 6115274 241071306 Just detect the alert, but not capture the Printable session maybe should i try session:printable ?? What to do :P thanks in advance! _________________________________________________________ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why the tag option and resp neither works! soldier Mx (Jan 21)