[Snort-users] flexresp

Ramin Alidousti ramin at ...2444...
Mon Sep 10 11:58:02 EDT 2001


Hi IDS guru's,

I'm still having problem with flexresp. It simply seems not
to be working.

I've one simple rule:

alert tcp $EXTERNAL_NET any -> $TEST_HOST 22 (msg:"KILL SESSION";flags: S; resp:rst_all;)


I run snort in foreground. And when I try to ssh to TEST_HOST
I get the following and my ssh session is not being reset:

*) Critical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ipCritical: SendTCPRST: libnet_write_ip

I also tried other response packets, eg, icmp_port, this one generates:

*) Critical: SendICMP_UNREACH: libnet_write_ip

Does this "Critical" mean something? Is there something wromg
I do/forgot? I just downloaded:

- cvs snort
- Libnet-1.0.2a

to no avail.

Thanks for the help.

Ramin





More information about the Snort-users mailing list