[Snort-users] FLEXRESP Problems

Markus Ulrich Markus.Ulrich at ...3608...
Wed Sep 26 05:57:01 EDT 2001


I want to use snort to reset a tcp connection if an alert occur. So I 
used the libnet (1.0.2.a) to compile snort (1.8.1) with flexresp enable 
(Linux Slackware Kernel 2.4.10).

A typical rule I used is :

alert tcp any 23 -> $NET any (msg:"TEST - TCP RST"; content: "gulu"; 
nocase; resp: rst_all;)

This works fine at least the logging but the connection brokes only 2 of 
50 down. Have I made a mistake ?

Is there any other way to do this ?

I m lucky for every help !


More information about the Snort-users mailing list