Snort mailing list archives
Re: Flexresp is not working
From: "Eduardo E. Silva" <esilva () silvex com>
Date: Fri, 13 Feb 2004 14:44:14 -0800 (PST)
ttp://www.snort.org/docs/snort_manual/node16.html#SECTION00374100000000000000 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:4; react: block, msg; ) Only block and warn work. I just installed it myself and will see if it works. Dmitry said:
Config: SuSE 8.0, Snort! 2.1.1-RC1 (Build 18), configured with --enable-flexresp option, libnet - 1.02a. Standart CHAT rules: 1. alert tcp any any -> any any (msg:"CHAT ICQ access"; \ content:"aim_http"; \ nocase; resp: rst_all;) 2. alert tcp any 80 -> any any (msg:"CHAT ICQ forced user addition"; \ flow:established,to_client; \ content:"Content-Type\: application/x-icq"; \ content:"[ICQ User]"; \ reference:bugtraq,3226; \ reference:cve,CAN-2001-1305; \ classtype:misc-activity; \ sid:1832; \ rev:3; \ resp: rst_all;) I use ICQ with anonymous HHTP proxy, 205.188.213.228:80 and get next snort's logs: [**] (http_inspect) BARE BYTE UNICODE ENCODING [**] 02/13-18:32:20.286062 192.168.1.16:2264 -> 205.188.213.228:80 TCP TTL:128 TOS:0x0 ID:7606 IpLen:20 DgmLen:337 DF ***AP*** Seq: 0x4CEBDCFB Ack: 0x37B7DFC2 Win: 0xFAF0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] CHAT ICQ access [**] 02/13-18:32:20.889756 205.188.213.228:80 -> 192.168.1.16:2264 TCP TTL:64 TOS:0x0 ID:5879 IpLen:20 DgmLen:376 DF ***AP*** Seq: 0x3776FFC2 Ack: 0x4CEEEB63 Win: 0x1920 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ... and so on many-many messages. But ICQ connection IS ALIVE and don't break at all. What i'm wrong??? Where is FLEXRESP?? WBR, Dmitry Komarov. ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Thanks, Ed Silva Silvex Consulting Inc. esilva () silvex com (714) 504-6870 Cell (714) 897-3800 Fax ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flexresp is not working Dmitry (Feb 13)
- Re: Flexresp is not working Eduardo E. Silva (Feb 13)