[Snort-users] Flexresp

Martin Roesch roesch at ...421...
Tue Oct 24 18:08:25 EDT 2000


It's collecting and seeing it's own reset packets.  Try it like this:

alert tcp 172.16.1.1/32 any -> 172.16.1.152/32 any (flags: PA; resp: rst_all;
msg: "NONONO";)

You need to reset on the packets that are part of the session, not just the
SYN packet.  You could also try resetting on every packet that contains an ACK
and anything else like this:

 alert tcp 172.16.1.1/32 any -> 172.16.1.152/32 any (flags: A+; resp: rst_all;
msg: "NONONO";)

    -Marty


¼Õ»óÇõ wrote:
> 
> Hello,
> 
> I am running snort 1.6.3-patch2 which is compiled with flexresp support.
> The problem is that rules like
> 
> "alert tcp 172.16.1.1 any -> 172.16.1.152 any (flags: S; resp: rst_all; msg: "NONONO";) "
> 
> doesn't seem to work. Snort leaves the alert in the alert file but does not successfully block connection attempt.
> But when I get rid of flags option, it really did close the connection
> but snort produces overwhelming number of alerts (several megabytes) which contains thousands of the following
> "
> [**] NONONO [**]
> 10/25-00:27:47.988126 172.16.1.1:23 -> 172.16.1.152:8777
> TCP TTL:64 TOS:0x0 ID:45401 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x3B22D96E  Ack: 0xC7E3F822  Win: 0x0  TcpLen: 20
> 
> [**] NONONO [**]
> 10/25-00:27:47.992908 172.16.1.1:23 -> 172.16.1.152:8777
> TCP TTL:64 TOS:0x0 ID:48567 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x3B22D96E  Ack: 0xC7E3F823  Win: 0x0  TcpLen: 20
> 
> [**] NONONO [**]
> 10/25-00:27:47.997636 172.16.1.1:23 -> 172.16.1.152:8777
> TCP TTL:64 TOS:0x0 ID:36290 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x3B22D96E  Ack: 0xC7E3F820  Win: 0x0  TcpLen: 20
> "
> 
> So I added
> pass tcp 172.16.1.1 any -> 172.16.1.152 any (flags: R)
> and ran snort with -o option. But it didn't help.
> 
> How can I work this out?
> Thanks in advance.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list