[Snort-users] FlexResp not working.....

Fyodor fygrave at ...121...
Sat Apr 14 03:20:54 EDT 2001


On Sat, Apr 14, 2001 at 01:16:13AM +0200, Uwe Kersten wrote:
> Hi all,
> 
> I have compiled Snort with --enable-flexresp on my SuSE 7 box, did fine,
> I have compiled Libnet, worked fine, I have tested Libnet, it works. I wrote 
> a rule with resp:rst_all; in it, a rule out of scan-lib. It is a rule about 
> nmap Xmas scan. I did the scan from a remote machine, the alert file went 
> full, so did the portscan log file, but the connection was not cancelled. No 
> idea what is going wrong, I know FlexResp is alpha, but maybe there is 
> someone out there with some idea.
> 


What do you mean 'did the portscan' and 'the connection was not canceled'? :)
Which portscans are you doing here anyway? :)

Another issue which you may look into, if you're doing scan from a box to
another box located in the same ethernet segment (or connected ethernet
segments) flexresp often fails to drop connection because kernel responses are
almost always delivered faster than those which spoofed by snort. Why? that's
what I'd like to know too :-) (if anyone has any ideas/hints for workarounds, would
appreciated mucho :))






More information about the Snort-users mailing list