[Snort-sigs] RE: RESP error

Jeff Nathan jeff at ...95...
Fri Oct 31 10:05:07 EST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You must compile snort with flexible responses enabled.

On a Unix-like system you must first ensure you have libnet-1.0.2a 
installed.  Once you've verified that libnet has been installed, run 
the configure script in the way you normally would, but make sure to 
add -enable-flexresp.

If you're using Snort on a Windows system, your snort.exe binary should 
already include flexresp.  If, however, you want to compile Snort 
yourself inside visual studio/visual C++, open the Snort project inside 
the src/win32/WIN32-Prj directory.  Once the development environment 
has opened the project, select an active build containing flexresp and 
compile snort.

While the responses you have received to your question are all correct 
insofar as responding to an ICMP packet with TCP isn't going to work, 
the larger problem is that your snort binary doesn't have flexible 
response (active response) functionality built into it.

You will have to recompile snort.

For future reference, this has been answered many times on the 
snort-users mailing list.  Searching the online archives of the 
snort-users list and the snort-sigs list is the first step in searching 
for answers to your questions regarding Snort.

- -Jeff

On Thursday, October 30, 2003, at 01:15 PM, SRH-Lists wrote:

>
>>> Warning: /etc/snort/rules/icmp.rules(36) => Unknown keyword
>> 'resp' in
>>> rule!
>>>
>>> this is the output i get when i insert the resp keyword
>> into a rule.
>>> Here is the rule;
>>>
>>>
>>> #drop ICMP packets associated with CyberKit 2.2 Windows
>>> #
>>> #
>>> #
>>> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP
>> PING CyberKit 2.2
>>> Windows";
>> content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;
>>> reference:arachnids,154; sid:483;  classtype:misc-activity;
>> rev:2; resp:
>>> rst_snd;)
>
> Well, first off, you aren't going to have much luck sending a RST to an
> ICMP packet.
>
> -steve
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive?  Does it
> help you create better code?   SHARE THE LOVE, and help us help
> YOU!  Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

- --
Custom packets with little to no money down.
http://nemesis.sourceforge.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/oqQ2Eqr8+Gkj0/0RAtqdAKDFgPLvK0UJvJ+yb7JdKSJ6ZS6W3ACgqpbG
2Phw26+WlA4YmXst2KDCoiY=
=x7vB
-----END PGP SIGNATURE-----





More information about the Snort-sigs mailing list