neil at ...1633...
Tue May 15 14:36:38 EDT 2001
"Ben Johansen" <benj at ...2026...> wrote asking:
>Hi all Newbie Here.
>How do I implement the "resp"
>I was trying alter this in the webmisc lib:
>alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cmd.exe
>Attempt";flags:PA; resp: rst_all; content:"scripts/../../cmd.exe"; nocase;)
Here's how I used it in a simple rule:
alert tcp $BAD_GUY any -> $HOME_NET 515 (msg:"LP Spooler attack"; resp: rst_all; )
You might want to be a little careful with the response rules. Depending on how
the remote machine is configured, it's possible start up a packet storm, stuff your
log filesystems, and otherwise DOS yourself. ( The Voice Of Experience )
By the way, in order to use the "response" capability on a unix system, it must have
been compiled-in. If you didn't set the relevant switch when you ran 'configure,'
then it won't work. I'm not sure how this works on other platforms.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users