[Snort-users] flexible response broken?

Nathan W. Labadie ab0781 at ...3381...
Sun Nov 4 08:46:02 EST 2001


I've been playing around with snort-1.8.2 and flexible response does not 
seem to be working. I have both versions of snort configured with the 
following options:

./configure --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-flexresp --with-mysql --with-openssl

I have the following rule as my test rule:

pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS cmd.exe access (FlexRsp)"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;)

This should "silently" kill any incoming requests for cmd.exe. When 
testing the rule with snort-1.8.1 I get the following:

[root at ...3994... src]# wget http://xxx.xxx.xxx.xxx/cmd.exe
--11:37:19--  http://xxx.xxx.xxx.xxx/cmd.exe
           => `cmd.exe'
Connecting to xxx.xxx.xxx.xxx:80... connected!
HTTP request sent, awaiting response... 
Read error (Connection reset by peer) in headers.
Retrying.

The "Connection reset by peer" indicates that the connection was 
correctly terminated. When testing with snort-1.8.2, I get the following:

[root at ...3994... src]# wget http://xxx.xxx.xxx.xxx/cmd.exe
--11:41:15--  http://xxx.xxx.xxx.xxx/cmd.exe
           => `cmd.exe'
Connecting to xxx.xxx.xxx.xxx:80... connected!
HTTP request sent, awaiting response... 404 Not Found
11:41:15 ERROR 404: Not Found.

Even though there's a "404: Not Found", the connection was completed 
successfully. Any idea why it seems to be working in snort-1.8.1 and not 
snort-1.8.2?

Thanks,
Nate

-- 
Nathan W. Labadie       | ab0781 at ...3381...	
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.5626 fax
C&IT Security Office: http://security.wayne.edu





More information about the Snort-users mailing list