[Snort-users] RE: FlexResp and react keyword

Rob Collins robtompc at ...131...
Sat Oct 6 18:20:02 EDT 2001

I sent the last message off a little early.  Played
with it some more and got some more results.

First off, got snort to read its own tcpdump binary
output.  It just takes 20 seconds for it to read
through 39 packets, I was being too impatient before. 
:(  Tcpdump (from www.tcpdump.org, version 3.14-10
that comes standard with Mandrake 7.2) still gives a
parse error, maybe I need to upgrade tcpdump to read
snort's output?

Secondly, got another machine attached to a hub to the
snort machine, and tested remotely. Internet Explorer
is the web browser.  client's ip is,
snort's is
First, the rule:
suspicious tcp any any -> (flags: !R;
react: block;)
resets the connection.  But the packet I see going> and containing the
snort webpage saying "You are not authorized to access
this site!" doesn't make it to my browser (meaning I
don't see that web page).  
It get's worse, simply clicking the Refresh button
loads to web page (???).  I can wait a minute before
clicking the Refresh button and it still goes through.
 I see the packets go flying by in snort, and the web
page on my browser.  Click refresh again after a
second or so of waiting and it produces a pop-up
message saying connection was reset by peer (click too
soon and the webpage just reloads).

Snort reports it has dropped zero packets.

If I manually telnet to port 80, connection gets
dropped every time.

Third, the rules on localhost still produce the same
problems I reported earlier.

On the plus side, the rule:
suspicious any any -> 80 (msg "http
attempt"; resp: rst_all;)
works everytime.

"Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones

Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.

More information about the Snort-users mailing list