[Snort-users] Flexresp

손상혁 shsohn at ...685...
Tue Oct 24 11:52:28 EDT 2000


Hello,

I am running snort 1.6.3-patch2 which is compiled with flexresp support.
The problem is that rules like 

"alert tcp 172.16.1.1 any -> 172.16.1.152 any (flags: S; resp: rst_all; msg: "NONONO";) "

doesn't seem to work. Snort leaves the alert in the alert file but does not successfully block connection attempt.
But when I get rid of flags option, it really did close the connection
but snort produces overwhelming number of alerts (several megabytes) which contains thousands of the following
"
[**] NONONO [**]
10/25-00:27:47.988126 172.16.1.1:23 -> 172.16.1.152:8777
TCP TTL:64 TOS:0x0 ID:45401 IpLen:20 DgmLen:40
***A*R** Seq: 0x3B22D96E  Ack: 0xC7E3F822  Win: 0x0  TcpLen: 20

[**] NONONO [**]
10/25-00:27:47.992908 172.16.1.1:23 -> 172.16.1.152:8777
TCP TTL:64 TOS:0x0 ID:48567 IpLen:20 DgmLen:40
***A*R** Seq: 0x3B22D96E  Ack: 0xC7E3F823  Win: 0x0  TcpLen: 20

[**] NONONO [**]
10/25-00:27:47.997636 172.16.1.1:23 -> 172.16.1.152:8777
TCP TTL:64 TOS:0x0 ID:36290 IpLen:20 DgmLen:40
***A*R** Seq: 0x3B22D96E  Ack: 0xC7E3F820  Win: 0x0  TcpLen: 20
"

So I added 
pass tcp 172.16.1.1 any -> 172.16.1.152 any (flags: R)
and ran snort with -o option. But it didn't help.

How can I work this out? 
Thanks in advance.



More information about the Snort-users mailing list