[Snort-users] Resp: and react: don't work on w2k and XP ?

Matt Kettler mkettler at ...4108...
Mon Aug 19 18:25:04 EDT 2002


At 02:09 AM 8/20/2002 +0200, Troll wrote:
>Thank you Matt Kettler
>that is working now snort knows about resp:
>but know the next problem will be occured
>An error will be send to me and snort dieing every time
>AppName: snort.exe AppVer: 0.0.0.0 ModName: packet.dll
>ModVer: 3.0.0.13 Offset: 00001d7d
>
>and I don't know if its right but my Task-Manager shows me several new
>Programms (don't know realy couse winpcap or snort)
>phfqk.exe , snixmb.exe, phcop.exe ... some more
>
>but back to my dieing snort couse failure in packet.dll
>don't know its raely an failure in snort or in winpcap or in my rules

First, really recommend trying to get a simple snort config working first, 
using the default ruleset, and very limited command line parameters.. 
*then* once you get snort working, start doing a custom config.. It takes a 
lot of the questions out like "is it my ruleset or something else?"


>alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"file-finder outa
>there1a"; flags: A+; content:"file-"; nocase; classtype:string-detect;
>sid:2000000; rev:1; resp: rst_all; )


Troubles aside, that's a dangerously broad rule.. are you really sure you 
want to attempt to terminate *any* tcp connection on any port containing 
the string "file-"? (note, this would include the pop3 or smtp session 
transferring this email and a LOT of other web and ftp traffic will match 
as well).


>is one of my rules .. they shoud block packets that contains 'file-'

Erm, flexresp won't exactly block the packets.. it will attempt to close 
the TCP connection containing it via reset-spoofing. Also be aware that a 
skilled attacker can bypass flexresp most of the time without a whole lot 
of effort. Don't treat flexresp as a firewall or refer to it as blocking 
anything... I know it's a pedantic difference, but once you start saying 
block, people start thinking of it as if it provided the security of a 
firewall.


>I startet snort with the snort panal witch set folloing to start snort
>E:\Snort\snort.exe -l "E:\Snort\log" -c "E:\Snort\edonkey.rules" -P
>500 -a -e -o -d -A full

Why do you have -P 500 specified? It's quite unusual to use this parameter 
at all, much less with such a short length, the default one is probably a 
much better idea, where snort will try to capture the entire packet 
(equivalent to -P 1460)

also do you really need -a and -e?

>can some one tell me if its realy an failure in packet.dll or if its me or
>is it XP ?
>my choice of installing snort for win32 is know only flexresp
>
>greetz Troll





More information about the Snort-users mailing list