[Snort-users] Snort & Reset Connection - How to?

Joe McAlerney joey at ...47...
Wed Jun 20 14:01:24 EDT 2001


Hello John,

First, you must configure snort with flexible response enabled.

# ./configure --enable-flexresp

Next, add flexible response capability to the rules you wish to issue
resets to.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http
directory traversal"; flags: A+; content: "../";
reference:arachnids,297; classtype:attempted-recon; sid:1113; rev:1;
resp:rst_all;)
										     ^^^^^^^^^^^^^
The above example will send reset packets to both the source and
destination address.  Alternatively, you can send resets to either the
source or the destination.  See the file README.FLEXRESP for more
information.

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

Lucie Hall wrote:
> 
> Can someone provide quidance on how to issue a reset to some detections such
> as the directory traversal?
> 
> Thank you,
> 
> John Hall
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list