[Snort-users] Flex but no response ....

skill2die4 skill2die4 at ...131...
Tue Jan 15 14:27:06 EST 2002


+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
snort and related utilities version numbers :

libnet-1.0.2a-1snort.i386.rpm
libnet.tar.gz (1.0.2a)
libpcap (0.6)
snort -1.8.3 (built 88) [configured option=flexResp]
snort-plain+flexresp.1.8.3-5-i386.rpm
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

scenario :
-----------
10.0.0.3 --- pings to ---> 10.0.0.3

rule file ::
--------------
flexRESP.rules
alert icmp 10.0.0.3 any ---> any any (msg:"Not allowed";resp:icmp_host;)

snort activation
-------------------
snort -A full -c flexRESP.rules


Observation 
-------------
a. snort intialization reads -->

    1 snort rules read .... 
    1 option chain linked into 1 chain header
    0 dynamic rules

b. the PING from 10.0.0.3 works and gets back a result from 10.0.0.2;
   snort only WRITES to the ALERT file

 I tried using the REACT with "TCP && BLOCK , MSG" options and telnet
 from 10.0.0.3,the connect was refused ... however i didnt got any
 VISIBLE BLOCK MESSAGE from the other side.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list