[Snort-users] Resp: and react: don't work on w2k and XP ?
mkettler at ...4108...
Mon Aug 19 18:25:04 EDT 2002
At 02:09 AM 8/20/2002 +0200, Troll wrote:
>Thank you Matt Kettler
>that is working now snort knows about resp:
>but know the next problem will be occured
>An error will be send to me and snort dieing every time
>AppName: snort.exe AppVer: 0.0.0.0 ModName: packet.dll
>ModVer: 220.127.116.11 Offset: 00001d7d
>and I don't know if its right but my Task-Manager shows me several new
>Programms (don't know realy couse winpcap or snort)
>phfqk.exe , snixmb.exe, phcop.exe ... some more
>but back to my dieing snort couse failure in packet.dll
>don't know its raely an failure in snort or in winpcap or in my rules
First, really recommend trying to get a simple snort config working first,
using the default ruleset, and very limited command line parameters..
*then* once you get snort working, start doing a custom config.. It takes a
lot of the questions out like "is it my ruleset or something else?"
>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"file-finder outa
>there1a"; flags: A+; content:"file-"; nocase; classtype:string-detect;
>sid:2000000; rev:1; resp: rst_all; )
Troubles aside, that's a dangerously broad rule.. are you really sure you
want to attempt to terminate *any* tcp connection on any port containing
the string "file-"? (note, this would include the pop3 or smtp session
transferring this email and a LOT of other web and ftp traffic will match
>is one of my rules .. they shoud block packets that contains 'file-'
Erm, flexresp won't exactly block the packets.. it will attempt to close
the TCP connection containing it via reset-spoofing. Also be aware that a
skilled attacker can bypass flexresp most of the time without a whole lot
of effort. Don't treat flexresp as a firewall or refer to it as blocking
anything... I know it's a pedantic difference, but once you start saying
block, people start thinking of it as if it provided the security of a
>I startet snort with the snort panal witch set folloing to start snort
>E:\Snort\snort.exe -l "E:\Snort\log" -c "E:\Snort\edonkey.rules" -P
>500 -a -e -o -d -A full
Why do you have -P 500 specified? It's quite unusual to use this parameter
at all, much less with such a short length, the default one is probably a
much better idea, where snort will try to capture the entire packet
(equivalent to -P 1460)
also do you really need -a and -e?
>can some one tell me if its realy an failure in packet.dll or if its me or
>is it XP ?
>my choice of installing snort for win32 is know only flexresp
More information about the Snort-users