[Snort-users] Re: FlexResp and react keyword

Rob Collins robtompc at ...131...
Sat Oct 6 16:55:03 EDT 2001


Did a little more digging.  First I found the 'resp'
keyword works.  Eg,
suspicious tcp any any -> 127.0.0.1 23 (flags: !R;
resp: rst_snd;)
will shutdown the connection!  Success!

But, the poor 'react' keyword is still quirky.  A rule
like this;
suspicious tcp any any -> 127.0.0.1 80 (msg: "http
attempt"; react: block, msg;)
works, sort of.  First off, there's no 'flags: !R', so
it keeps triggering itself forever.  Second, I never
see the message.  

I do see it in the -v isual output, but lynx just says
unable to connect to remote host.  I could try to keep
the rule from self-triggering with this 'flags: !R',
but then lynx gets the webpage (suspicious.log is
still generated, still unreadable due to a prase
error).  :(

I'm starting to wonder if this is a bug rather than
just my ignorance.

=====
--r
"Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones

__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1




More information about the Snort-users mailing list