[Snort-users] Problem with resp

Dragos Ruiu dr at ...50...
Tue May 22 10:37:19 EDT 2001


I think it was noted before that on slower computers the latency of
flexresp->libnet may mean that it may not respond quickly enough 
for the receiver to receive the reset while it's still valid. A p166 will
likely fall into this category when up agianst a fast link and fast 
computers....  for hostile resets, like most dos tactics,  the lowest 
latency and fattest pipe always wins.... :-)

--dr

On Friday 18 May 2001 21:04, Andrew J. Bostaph wrote:
> I have attempted to utilize FlexResp, but when I do nothing happens.  At
> all.  I have modifies the rules I want resp on, but when I run snort, no
> scans are detected, and no resp is generated.  When I go back to the
> original scan.rules, it logs scans fine.  Here is a sample of the rules:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (resp: rst_all; msg:"SCAN
> Proxy attempt";flags:S;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (resp: rst_all; msg:"SCAN
> Proxy attempt";flags:S;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (resp: rst_all; msg:"INFO
> - Possible Squid Scan"; flags:S;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (resp: rst_all; msg:
> "SCAN - portmap listing 32771"; flags: A+; rpc: 100000,*,*;
> reference:arachnids,429;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN -
> wayboard request - allows reading of arbitrary files as http service";
> content:"way-board"; nocase;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (resp: rst_all; msg:"SCAN -
> palscgi request - allows reading of arbitrary files as http service";
> content:"pals-cgi"; nocase;)
>
> Is my syntax incorrect?
>
> Info:
>
> Compaq P-166
> 128 MB RAM
> 100 MB Linksys NIC
> RH 7.1
> Snort 1.7
>
> Thanks,
>
> Boa
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list