Snort mailing list archives
Re: flexresp2 is back and needs testing
From: Pedro Fortuna <pedro.fortuna () gmail com>
Date: Thu, 9 Sep 2004 12:02:11 +0100
Jeff, it seems ok now :) I tried the rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder a FTP com user root!"; flow:to_server,established; content:"USER"; nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi"; classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;) And tried to access FTP server from a remote computer with username root. Right after typing root and hitting enter, I go this output: remoteserver.foo > ftp homenetwork.ftp.server Connected to homenetwork.ftp.server Name (homenetwork.ftp.server:foo): root 421 Service not available, remote server has closed connection Login failed. No control connection for command: Transport endpoint is not connected ftp> by I think this should be the result expected. I'll do more tests later. Best Regards, Pedro Fortuna On Thu, 9 Sep 2004 01:01:35 -0400, Jeff Nathan <jeff () snort org> wrote:
Erg.. Sorry about that. Try the attached patch (version 1.0.2) instead, OK? -Jeff On Sep 8, 2004, at 8:58 PM, Pedro Fortuna wrote:Jeff, I did, I used the sp_respond2.diff.gz you sent today directly to my (other) mail box (pfeito_at_netcabo.pt) and to other 6 or 7 guys. I'm going to repeat the process as I type this e-mail: Installation (you can see filesize and confirm that it is version 1.0.1): -rw-r--r-- 1 root root 16414 Sep 9 02:55 sp_respond2.diff.gz # gzip -d sp_respond2.diff.gz -rw-r--r-- 1 root root 66323 Sep 9 02:55 sp_respond2.diff # patch ?p0 < sp_respond2.diff patching file configure.in patching file doc/Makefile.am patching file doc/README.FLEXRESP2 patching file src/parser.c patching file src/plugbase.c patching file src/snort.h patching file src/detection-plugins/Makefile.am patching file src/detection-plugins/sp_react.c patching file src/detection-plugins/sp_react.h patching file src/detection-plugins/sp_respond.c patching file src/detection-plugins/sp_respond.h patching file src/detection-plugins/sp_respond2.c patching file src/detection-plugins/sp_respond2.h # aclocal # autoheader # automake # autoconf # ./configure --with-mysql=/usr/local/mysql --enable-flexresp2 # make # make install # /etc/init.d/snort start # grep "sp_respond" /var/log/messages Sep 9 03:08:29 paco snort: FATAL ERROR: sp_respond2: Unable to allocate hash table memory. And Snort stops running. I didnt saw this problem on the previous version that you sent me 2 or 3 weeks ago. Any clues? Best Regards, Pedro Fortuna-- The original EZ-bake packet oven. http://nemesis.sourceforge.net
------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: flexresp2 is back and needs testing, (continued)
- Re: flexresp2 is back and needs testing Jeff Nathan (Aug 31)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Aug 31)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 05)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing James Riden (Sep 08)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 08)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 08)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 08)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 09)
- Re: flexresp2 is back and needs testing Jeff Nathan (Sep 09)
- Re: flexresp2 is back and needs testing Pedro Fortuna (Sep 18)
- flexresp2 is in CVS Jeff Nathan (Sep 18)
- Re: flexresp2 is back and needs testing Jeff Nathan (Aug 31)