[Snort-sigs] RE: RESP error
jeff at ...95...
Fri Oct 31 10:05:07 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
You must compile snort with flexible responses enabled.
On a Unix-like system you must first ensure you have libnet-1.0.2a
installed. Once you've verified that libnet has been installed, run
the configure script in the way you normally would, but make sure to
If you're using Snort on a Windows system, your snort.exe binary should
already include flexresp. If, however, you want to compile Snort
yourself inside visual studio/visual C++, open the Snort project inside
the src/win32/WIN32-Prj directory. Once the development environment
has opened the project, select an active build containing flexresp and
While the responses you have received to your question are all correct
insofar as responding to an ICMP packet with TCP isn't going to work,
the larger problem is that your snort binary doesn't have flexible
response (active response) functionality built into it.
You will have to recompile snort.
For future reference, this has been answered many times on the
snort-users mailing list. Searching the online archives of the
snort-users list and the snort-sigs list is the first step in searching
for answers to your questions regarding Snort.
On Thursday, October 30, 2003, at 01:15 PM, SRH-Lists wrote:
>>> Warning: /etc/snort/rules/icmp.rules(36) => Unknown keyword
>> 'resp' in
>>> this is the output i get when i insert the resp keyword
>> into a rule.
>>> Here is the rule;
>>> #drop ICMP packets associated with CyberKit 2.2 Windows
>>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP
>> PING CyberKit 2.2
>>> reference:arachnids,154; sid:483; classtype:misc-activity;
>> rev:2; resp:
> Well, first off, you aren't going to have much luck sending a RST to an
> ICMP packet.
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive? Does it
> help you create better code? SHARE THE LOVE, and help us help
> YOU! Click Here: http://sourceforge.net/donate/
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
Custom packets with little to no money down.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-sigs