[Snort-users] Re: [Snort-devel] Urgent (hopefully not dumb) question:resp:(onses) on which device?
roesch at ...402...
Mon Nov 12 07:58:07 EST 2001
Yeah, my bad. I was attmepting to speed up the flexresp response time
by precaching the TCP response packets and only filling in needed fields
at "fire time" instead of creating the packet from scratch every time it
was needed. While it was indeed faster, I forgot to finish up what I
was working on due to the increasing number of distractions I have in my
life (baby, company, snort, etc) and as a result the flexresp code in
1.8.2 was massively broken.
Anyway, it's fixed in CVS and will be fixed when I officially release
1.8.3 later today.
Chris Green wrote:
> "Chr. v. Stuckrad" <stucki at ...933...> writes:
> > Hi!
> > I'm in a hurry to create 'responses' to kill incoming ssh-connections
> > to some openssh-1.* vulnerable hosts where I have no root-access to,
> > but snort is reading on eth1 an not-writable mirror-port of an router.
> > I geht no visible responses on the 'normal' interface eth0, so I fear
> > the responses are on the wrong device (or not generated at all?) ?
> > Stucki
> > PS.: I definitely compiled 1.8.2 WITH --enable-flexresponse on my LINUX
> > end the rule logs correctly, but so far never 'responds'.
> Flexresp is broken in 1.8.2. Please grab the CVS checkout if you need
> to use it. It shouldn't be too long before a official release that
> fixes this is done.
> Chris Green <cmg at ...81...>
> This is my signature. There are many like it but this one is mine.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel