[Snort-users] Problem with resp

Andrew J. Bostaph abostaph at ...770...
Fri May 18 17:04:15 EDT 2001


I have attempted to utilize FlexResp, but when I do nothing happens.  At
all.  I have modifies the rules I want resp on, but when I run snort, no
scans are detected, and no resp is generated.  When I go back to the
original scan.rules, it logs scans fine.  Here is a sample of the rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (resp: rst_all; msg:"SCAN
Proxy attempt";flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (resp: rst_all; msg:"SCAN
Proxy attempt";flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (resp: rst_all; msg:"INFO
- Possible Squid Scan"; flags:S;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (resp: rst_all; msg:
"SCAN - portmap listing 32771"; flags: A+; rpc: 100000,*,*;
reference:arachnids,429;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN -
wayboard request - allows reading of arbitrary files as http service";
content:"way-board"; nocase;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN -
palscgi request - allows reading of arbitrary files as http service";
content:"pals-cgi"; nocase;)

Is my syntax incorrect?

Info:

Compaq P-166
128 MB RAM
100 MB Linksys NIC
RH 7.1
Snort 1.7

Thanks,

Boa





More information about the Snort-users mailing list