[Snort-users] Linux - FlexResp

Martin Roesch roesch at ...421...
Mon Oct 2 14:26:51 EDT 2000


Sending TCP resets to ICMP packets isn't going to work very well.  You are
probably looking for something more like:

resp: icmp_host;

The second rule should work properly.

    -Marty

Brian Dinello wrote:
> 
> I have Snort compiled and running on a Linux 6.2 box.  When I create a rule
> to use any FlexResp option, it logs the traffic as it should, but then lets
> the traffic pass.  I configured the appropriate options during the compile.
> See the 2 examples:
> 
> log ICMP !10.83.208.41/32 any -> 10.83.208.41/32 any (msg:"ICMP request to
> Redhat Box"; resp: rst_all;)
> 
> log TCP any any -> 10.83.208.41/32 21 (msg:"FTP attempt from intrnal"; resp:
> rst_all;)
> 
> Any ideas?  Thanks in advance,
> 
> Brian Dinello
> Internet Security Specialist
> Allegheny Power
> 
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> Share information about yourself, create your own public profile at
> http://profiles.msn.com.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list