[Snort-sigs] RESP not working in rules

William Cameron wscamero at ...543...
Sat Apr 20 08:56:01 EDT 2002


   I am using snort 1.8.6 and I am having trouble using the "resp" 
keyword to reset detected attacks. I get the following error when I try 
to run snort:

[root at ...544... snort-1.8.6]# ./snort -dev -l ./log -s -h 
-c snort.conf
Log directory = ./log

Initializing Network Interface eth0

         --== Initializing Snort ==--
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file snort.conf

Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
     Fragment timeout: 60 seconds
     Fragment memory cap: 4194304 bytes
snort-sigs at lists.sourceforge.net
snort-sigs at lists.sourceforge.net
Stream4 config:
     Stateful inspection: ACTIVE
     Session statistics: INACTIVE
     Session timeout: 30 seconds
     Session memory cap: 8388608 bytes
     State alerts: INACTIVE
     Scan alerts: ACTIVE
     Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
      Reassemble client: ACTIVE
      Reassemble server: INACTIVE
      Reassemble ports: 21 23 25 53 80 143 110 111 513
      Reassembly alerts: ACTIVE
      Reassembly method: FAVOR_OLD
Back Orifice detection brute force: DISABLED
Using LOCAL time

ERROR: .//web-iis.rules(7) => Unknown keyword "resp" in rule!
Fatal Error, Quitting..
[root at ...544... snort-1.8.6]#

My web-iis.rules has entries like this:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS webdav 
file lock attempt"; flags:A+; content:"LOCK "; offset:0; depth:5; 
reference:bugtraq,2736; classtype:web-application-activity; sid:969; 
rev:1; resp:rst_all;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
.printer access"; uricontent:".printer"; nocase; flags:A+; 
reference:cve,CAN-2001-0241; reference:arachnids,533; 
classtype:web-application-activity; sid:971; rev:1; resp:rst_all;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
.ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; 
reference:arachnids,552; classtype:web-application-attack; 
reference:cve,CAN-2000-0071; sid:1243; rev:2; resp:rst_all;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
.ida access"; uricontent:".ida"; nocase; flags:A+; 
reference:arachnids,552; classtype:web-application-activity; 
reference:cve,CAN-2000-0071; sid:1242; rev:2; resp:rst_all;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
.idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; 
reference:arachnids,553; classtype:web-application-attack; 
reference:cve,CAN-2000-0071; sid:1244; rev:2; resp:rst_all;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
.idq access"; uricontent:".idq"; nocase; flags:A+; 
reference:arachnids,553; classtype:web-application-activity; 
reference:cve,CAN-2000-0071; sid:1245; rev:2; resp:rst_all;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp 
access";flags: A+; uricontent:"%2e.asp"; nocase; 
reference:bugtraq,1814; reference:cve,CAN-1999-0253; 
classtype:web-application-activity; sid:972; rev:2; resp:rst_all;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc 
attempt";flags: A+; content:"*.idc"; nocase; reference:bugtraq,1448; 
reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:973; 
rev:3; resp:rst_all;)

Does anyone have any ideas why the "resp" keyword is not recognized ?

William Cameron
wscamero at ...543...

More information about the Snort-sigs mailing list