[Snort-users] Problem with resp

Joe McAlerney joey at ...47...
Tue May 22 14:21:06 EDT 2001


In most people's experience, the spoofed packets generated by Snort to
close the connection does not get sent out in time.  The true packets
get transmitted, then the spoofed packets stumble in with out-of-order
sequence numbers.  So, the connection is not reset.  I have heard that
libpcap is the bottleneck, and there is not really an easy way to solve
this.

Perhaps someone else can elaborate more.

-Joe M.

-- 
|   Joe McAlerney     joey at ...155...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+

"Andrew J. Bostaph" wrote:
> 
> I have attempted to utilize FlexResp, but when I do nothing happens.  At
> all.  I have modifies the rules I want resp on, but when I run snort, no
> scans are detected, and no resp is generated.  When I go back to the
> original scan.rules, it logs scans fine.  Here is a sample of the rules:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (resp: rst_all; msg:"SCAN
> Proxy attempt";flags:S;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (resp: rst_all; msg:"SCAN
> Proxy attempt";flags:S;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (resp: rst_all; msg:"INFO
> - Possible Squid Scan"; flags:S;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (resp: rst_all; msg:
> "SCAN - portmap listing 32771"; flags: A+; rpc: 100000,*,*;
> reference:arachnids,429;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN -
> wayboard request - allows reading of arbitrary files as http service";
> content:"way-board"; nocase;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN -
> palscgi request - allows reading of arbitrary files as http service";
> content:"pals-cgi"; nocase;)
> 
> Is my syntax incorrect?
> 
> Info:
> 
> Compaq P-166
> 128 MB RAM
> 100 MB Linksys NIC
> RH 7.1
> Snort 1.7
> 
> Thanks,
> 
> Boa




More information about the Snort-users mailing list