[Snort-sigs] RESP not working in rules

Pedro Paulo Ferreira Bueno bueno at ...233...
Tue Apr 23 19:48:10 EDT 2002


Hi William, I got this problem too...
I dont know if did you already try this, but...
try ./configure --enable-flexresp then make and make install...
Now i have flexresp working...

Bye,
pedro bueno

----- Original Message ----- 
From: "William Cameron" <wscamero at ...543...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Saturday, April 20, 2002 12:57 PM
Subject: [Snort-sigs] RESP not working in rules


> Hello,
> 
>    I am using snort 1.8.6 and I am having trouble using the "resp" 
> keyword to reset detected attacks. I get the following error when I try 
> to run snort:
> 
> [root at ...544... snort-1.8.6]# ./snort -dev -l ./log -s -h 192.168.0.0/24 
> -c snort.conf
> Log directory = ./log
> 
> Initializing Network Interface eth0
> 
>          --== Initializing Snort ==--
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> Parsing Rules file snort.conf
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> No arguments to frag2 directive, setting defaults to:
>      Fragment timeout: 60 seconds
>      Fragment memory cap: 4194304 bytes
> snort-sigs at lists.sourceforge.net
> snort-sigs at lists.sourceforge.net
> Stream4 config:
>      Stateful inspection: ACTIVE
>      Session statistics: INACTIVE
>      Session timeout: 30 seconds
>      Session memory cap: 8388608 bytes
>      State alerts: INACTIVE
>      Scan alerts: ACTIVE
>      Log Flushed Streams: INACTIVE
> No arguments to stream4_reassemble, setting defaults:
>       Reassemble client: ACTIVE
>       Reassemble server: INACTIVE
>       Reassemble ports: 21 23 25 53 80 143 110 111 513
>       Reassembly alerts: ACTIVE
>       Reassembly method: FAVOR_OLD
> Back Orifice detection brute force: DISABLED
> Using LOCAL time
> 
> ERROR: .//web-iis.rules(7) => Unknown keyword "resp" in rule!
> Fatal Error, Quitting..
> [root at ...544... snort-1.8.6]#
> 
> 
> My web-iis.rules has entries like this:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS webdav 
> file lock attempt"; flags:A+; content:"LOCK "; offset:0; depth:5; 
> reference:bugtraq,2736; classtype:web-application-activity; sid:969; 
> rev:1; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
> .printer access"; uricontent:".printer"; nocase; flags:A+; 
> reference:cve,CAN-2001-0241; reference:arachnids,533; 
> classtype:web-application-activity; sid:971; rev:1; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
> .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; 
> reference:arachnids,552; classtype:web-application-attack; 
> reference:cve,CAN-2000-0071; sid:1243; rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
> .ida access"; uricontent:".ida"; nocase; flags:A+; 
> reference:arachnids,552; classtype:web-application-activity; 
> reference:cve,CAN-2000-0071; sid:1242; rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
> .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; 
> reference:arachnids,553; classtype:web-application-attack; 
> reference:cve,CAN-2000-0071; sid:1244; rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
> .idq access"; uricontent:".idq"; nocase; flags:A+; 
> reference:arachnids,553; classtype:web-application-activity; 
> reference:cve,CAN-2000-0071; sid:1245; rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp 
> access";flags: A+; uricontent:"%2e.asp"; nocase; 
> reference:bugtraq,1814; reference:cve,CAN-1999-0253; 
> classtype:web-application-activity; sid:972; rev:2; resp:rst_all;)
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc 
> attempt";flags: A+; content:"*.idc"; nocase; reference:bugtraq,1448; 
> reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:973; 
> rev:3; resp:rst_all;)
> 
> 
> Does anyone have any ideas why the "resp" keyword is not recognized ?
> 
> Thanks,
> William Cameron
> wscamero at ...543...
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list