[Snort-users] FlexResp

Motoki Yokoyama yokoyama at ...7654...
Mon Dec 2 23:29:03 EST 2002


Hi All,

I'm trying "FlexResp" function in snort-1.9.0 on RedHat7.3.
But my snort reply both SYN/ACK and RST/ACK to "TCP connection 
scan" and "TCP Half Scan" On the other hand the snort reply 
RST/ACK to "FIN scan", "Xmas Scan", and "NULL scan". Doesn't 
the snort operate to "TCP connection scan" and "TCP Half Scan" 
as same as to "FIN scan", "Xmas Scan", and "NULL scan"?
I expect to reply RST/ACK to all these scan.

Please give me any advice to my problem.

The signature of this test is following:

 alert tcp 10.6.21.10 any -> 10.6.21.1 22
 (msg:"Resp"; resp:rst_snd; sid:1000009;)

where, 10.6.21.10 is a remote host.

Other information of my snort environment is following:
 ・libpcap-0.6.2-2cl.i386.rpm
 ・libpcap-devel-0.6.2-2cl.i386.rpm
 ・libnet-1.0.2a-2.i386.rpm

Thanks




More information about the Snort-users mailing list