[Snort-users] Re: flexible response broken?

Nathan W. Labadie ab0781 at ...3381...
Sun Nov 4 09:19:01 EST 2001


Forgot to mention this in the original email:

This in on a linux box (Mandrake 8.0) with all the necessary libraries
installed. I've tried this with both the rpm and compiled from source with
the same results.

On Sun, Nov 04, 2001 at 11:36:41AM -0500, Nathan W. Labadie wrote:
> I've been playing around with snort-1.8.2 and flexible response does not 
> seem to be working. I have both versions of snort configured with the 
> following options:
> 
> ./configure --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-flexresp --with-mysql --with-openssl
> 
> I have the following rule as my test rule:
> 
> pass tcp $EXTERNAL_NET any -> $INSIDE 80 ($RESP_TCP; msg:"WEB-IIS cmd.exe access (FlexRsp)"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;)
> 
> This should "silently" kill any incoming requests for cmd.exe. When 
> testing the rule with snort-1.8.1 I get the following:
> 
> [root at ...3994... src]# wget http://xxx.xxx.xxx.xxx/cmd.exe
> --11:37:19--  http://xxx.xxx.xxx.xxx/cmd.exe
>            => `cmd.exe'
> Connecting to xxx.xxx.xxx.xxx:80... connected!
> HTTP request sent, awaiting response... 
> Read error (Connection reset by peer) in headers.
> Retrying.
> 
> The "Connection reset by peer" indicates that the connection was 
> correctly terminated. When testing with snort-1.8.2, I get the following:
> 
> [root at ...3994... src]# wget http://xxx.xxx.xxx.xxx/cmd.exe
> --11:41:15--  http://xxx.xxx.xxx.xxx/cmd.exe
>            => `cmd.exe'
> Connecting to xxx.xxx.xxx.xxx:80... connected!
> HTTP request sent, awaiting response... 404 Not Found
> 11:41:15 ERROR 404: Not Found.
> 
> Even though there's a "404: Not Found", the connection was completed 
> successfully. Any idea why it seems to be working in snort-1.8.1 and not 
> snort-1.8.2?
> 
> Thanks,
> Nate
> 
> -- 
> Nathan W. Labadie       | ab0781 at ...3381...	
> Sr. Security Specialist | 313/577.2126
> Wayne State University  | 313/577.5626 fax
> C&IT Security Office: http://security.wayne.edu
> 

-- 
Nathan W. Labadie       | ab0781 at ...3381...	
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.5626 fax
C&IT Security Office: http://security.wayne.edu





More information about the Snort-users mailing list