[Snort-users] Re: [Snort-sigs] RESP not working in rules

Matt Kettler mkettler at ...4108...
Sat Apr 20 11:08:03 EDT 2002

Are you using a flexresp build of snort?
ie: if you downloaded a binary did you get a with-flexresp version, or if 
you built your own did you ./configure --enable-flexresp ?

if not, get a flexresp build if you want to use flexresp.

Since this is a general snort configuration problem, not an effort to 
develop rulesets, this really a snort-users question, not a snort-sigs, so 
I am CCing the response to that list instead of the sigs list. If you have 
further troubles, follow up there and include more info about what you did 
to install snort.

At 11:57 AM 4/20/2002 -0400, William Cameron wrote:
>   I am using snort 1.8.6 and I am having trouble using the "resp" keyword 
> to reset detected attacks. I get the following error when I try to run snort:
>[root at ...5667... snort-1.8.6]# ./snort -dev -l ./log -s -h -c 
>Log directory = ./log
>Initializing Network Interface eth0
>         --== Initializing Snort ==--
>Decoding Ethernet on interface eth0
>Initializing Preprocessors!
>Initializing Plug-ins!
>Initializating Output Plugins!
>Parsing Rules file snort.conf
>Initializing rule chains...
>No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>snort-sigs at lists.sourceforge.net
>snort-sigs at lists.sourceforge.net
>Stream4 config:
>     Stateful inspection: ACTIVE
>     Session statistics: INACTIVE
>     Session timeout: 30 seconds
>     Session memory cap: 8388608 bytes
>     State alerts: INACTIVE
>     Scan alerts: ACTIVE
>     Log Flushed Streams: INACTIVE
>No arguments to stream4_reassemble, setting defaults:
>      Reassemble client: ACTIVE
>      Reassemble server: INACTIVE
>      Reassemble ports: 21 23 25 53 80 143 110 111 513
>      Reassembly alerts: ACTIVE
>      Reassembly method: FAVOR_OLD
>Back Orifice detection brute force: DISABLED
>Using LOCAL time
>ERROR: .//web-iis.rules(7) => Unknown keyword "resp" in rule!
>Fatal Error, Quitting..
>[root at ...5667... snort-1.8.6]#
>My web-iis.rules has entries like this:
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS webdav file 
>lock attempt"; flags:A+; content:"LOCK "; offset:0; depth:5; 
>reference:bugtraq,2736; classtype:web-application-activity; sid:969; 
>rev:1; resp:rst_all;)
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI 
>.printer access"; uricontent:".printer"; nocase; flags:A+; 
>reference:cve,CAN-2001-0241; reference:arachnids,533; 
>classtype:web-application-activity; sid:971; rev:1; resp:rst_all;)
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida 
>attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; 
>reference:arachnids,552; classtype:web-application-attack; 
>reference:cve,CAN-2000-0071; sid:1243; rev:2; resp:rst_all;)
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida 
>access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; 
>classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; 
>rev:2; resp:rst_all;)
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq 
>attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; 
>reference:arachnids,553; classtype:web-application-attack; 
>reference:cve,CAN-2000-0071; sid:1244; rev:2; resp:rst_all;)
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq 
>access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; 
>classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1245; 
>rev:2; resp:rst_all;)
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS %2E-asp 
>access";flags: A+; uricontent:"%2e.asp"; nocase; reference:bugtraq,1814; 
>reference:cve,CAN-1999-0253; classtype:web-application-activity; sid:972; 
>rev:2; resp:rst_all;)
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS *.idc 
>attempt";flags: A+; content:"*.idc"; nocase; reference:bugtraq,1448; 
>reference:cve,CVE-1999-0874; classtype:web-application-attack; sid:973; 
>rev:3; resp:rst_all;)
>Does anyone have any ideas why the "resp" keyword is not recognized ?
>William Cameron
>wscamero at ...2053...
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-users mailing list