[Snort-users] resp?

Neil Dickey neil at ...1633...
Tue May 15 14:36:38 EDT 2001


"Ben Johansen" <benj at ...2026...> wrote asking:

>Hi all Newbie Here.

Welcome aboard.

>How do I implement the "resp"
>
>I was trying alter this in the webmisc lib:
>alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cmd.exe
>Attempt";flags:PA; resp: rst_all; content:"scripts/../../cmd.exe"; nocase;)

Here's how I used it in a simple rule:

  alert tcp $BAD_GUY any -> $HOME_NET 515 (msg:"LP Spooler attack"; resp: rst_all; )

You might want to be a little careful with the response rules.  Depending on how
the remote machine is configured, it's possible start up a packet storm, stuff your
log filesystems, and otherwise DOS yourself.  ( The Voice Of Experience )

By the way, in order to use the "response" capability on a unix system, it must have
been compiled-in.  If you didn't set the relevant switch when you ran 'configure,'
then it won't work.  I'm not sure how this works on other platforms.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




More information about the Snort-users mailing list