[Snort-sigs] RE: RESP error

Brian A Kee bkee at ...5...
Thu Oct 30 10:15:07 EST 2003


On Wednesday 29 October 2003 11:14 am, JOHNSON DAVID R wrote:
> >  -----Original Message-----
> > From:       JOHNSON DAVID R
> > Sent:       Tuesday, October 28, 2003 4:07 PM
> > To: 'snort-sigs at lists.sourceforge.net'
> > Subject:    RESP error
> >
> > Warning: /etc/snort/rules/icmp.rules(36) => Unknown keyword 'resp' in
> > rule!
> >
> > this is the output i get when i insert the resp keyword into a rule.
> > Here is the rule;
> >
> >
> > #drop ICMP packets associated with CyberKit 2.2 Windows
> > #
> > #
> > #
> > alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit
> > 2.2 Windows";
> > content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;
> > reference:arachnids,154; sid:483;  classtype:misc-activity; rev:2; resp:
> > rst_snd;)

I think you are trying to TCP reset a non TCP based packet. 

I doubt this will work, even if it is allowed by snort (apparently it is not).

BAK





More information about the Snort-sigs mailing list