[Snort-users] Flex Response on Win32

Beech, Martin Martin.Beech at ...6328...
Tue Jul 16 04:59:05 EDT 2002


Hi there,

New to snort. Trying to get it to kill connections under certain conditions
and getting no joy. I'm using:

SNORT Version 1.8.7beta5-ODBC-FlexRESP-WIN32 (Build 128)
LIBNETNT.DLL (binary 1.0.2c) Downloaded from securitybugware.org today
WPCAP 2.3
W2K SP2

I've tried the various libnetnt.dll's around, including the one with the
distribution of Snort I installed. These either GPF'd or "PacketSendPacket
fail"ed on me. The one I'm using from securitybugware does not produce
errors, but it does not kill the connections either. The rule I'm testing
under is 

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval
attempt"; flags:A+; content:"RETR"; nocase; content:"passwd"; resp:
rst_all,icmp_all; reference:arachnids,213;
classtype:suspicious-filename-detect; sid:356;  rev:4;)

Am I doing something dumb - does the LIBNETNT.DLL need installing in some
way, rather than just copying to the snort directory?

Thanks in advance,

Martin


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you are not the intended addressee, you must 
not disclose, copy or take any action in reliance of this transmission.

Although this message and its contents have been scanned for viruses and no 
viruses were detected, no responsibility whatsoever is accepted by the 
Company, or any of its offices or companies for any loss or damage 
arising in any way from receipt or use thereof.

If you have received this email in error please delete this message and
notify the Polk System Administrator at postmaster at ...6326...

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/




More information about the Snort-users mailing list