[Snort-users] Linux - FlexResp

Fyodor fygrave at ...121...
Fri Sep 29 16:11:21 EDT 2000


~ :I have Snort compiled and running on a Linux 6.2 box.  When I create a rule 
~ :to use any FlexResp option, it logs the traffic as it should, but then lets 
~ :the traffic pass.  I configured the appropriate options during the compile.  
~ :See the 2 examples:
~ :
~ :log ICMP !10.83.208.41/32 any -> 10.83.208.41/32 any (msg:"ICMP request to 
~ :Redhat Box"; resp: rst_all;)
~ :
~ :log TCP any any -> 10.83.208.41/32 21 (msg:"FTP attempt from intrnal"; resp: 
~ :rst_all;)
~ :

Which version are using? I recently committed a huge update to this
module, althrough there's still a problem which I am figuring out how to
get fixed. A few packets are still abe to pass before connection is
rst'ted if you're in the same ethernet segment with either side. But
connection gets dropped in few rounds anyway.... Can you show tcpdump
output of network session while attemting to establish such connection?




More information about the Snort-users mailing list