[Snort-users] Re: FlexResp and react keyword
robtompc at ...131...
Sat Oct 6 16:55:03 EDT 2001
Did a little more digging. First I found the 'resp'
keyword works. Eg,
suspicious tcp any any -> 127.0.0.1 23 (flags: !R;
will shutdown the connection! Success!
But, the poor 'react' keyword is still quirky. A rule
suspicious tcp any any -> 127.0.0.1 80 (msg: "http
attempt"; react: block, msg;)
works, sort of. First off, there's no 'flags: !R', so
it keeps triggering itself forever. Second, I never
see the message.
I do see it in the -v isual output, but lynx just says
unable to connect to remote host. I could try to keep
the rule from self-triggering with this 'flags: !R',
but then lynx gets the webpage (suspicious.log is
still generated, still unreadable due to a prase
I'm starting to wonder if this is a bug rather than
just my ignorance.
"Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
More information about the Snort-users