[Snort-users] Flex but no response ....

Joe McAlerney joey at ...47...
Tue Jan 15 15:23:11 EST 2002


You might want to try sniffing the line with tcpdump or snort -v to see
if the spoofed ICMP message is actually being sent.  Most people using
flex resp on a speedy network (I.E, one that does not have the latency
inherent on the Internet) will find that while the spoofed packet is
being created, the actual one makes it back to the sender.  There's more
on this in the archives.

HTH,

-Joe M.

-- 
Joe McAlerney
Software Developer / Security Consultant
joey at ...47...
Silicon Defense: IDS Solutions -=- http://www.silicondefense.com/

skill2die4 wrote:
> 
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> snort and related utilities version numbers :
> 
> libnet-1.0.2a-1snort.i386.rpm
> libnet.tar.gz (1.0.2a)
> libpcap (0.6)
> snort -1.8.3 (built 88) [configured option=flexResp]
> snort-plain+flexresp.1.8.3-5-i386.rpm
> +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
> 
> scenario :
> -----------
> 10.0.0.3 --- pings to ---> 10.0.0.3
> 
> rule file ::
> --------------
> flexRESP.rules
> alert icmp 10.0.0.3 any ---> any any (msg:"Not allowed";resp:icmp_host;)
> 
> snort activation
> -------------------
> snort -A full -c flexRESP.rules
> 
> Observation
> -------------
> a. snort intialization reads -->
> 
>     1 snort rules read ....
>     1 option chain linked into 1 chain header
>     0 dynamic rules
> 
> b. the PING from 10.0.0.3 works and gets back a result from 10.0.0.2;
>    snort only WRITES to the ALERT file
> 
>  I tried using the REACT with "TCP && BLOCK , MSG" options and telnet
>  from 10.0.0.3,the connect was refused ... however i didnt got any
>  VISIBLE BLOCK MESSAGE from the other side.
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list