[Snort-users] FW: Flex Response on Win32 - MY BAD?

Beech, Martin Martin.Beech at ...6328...
Tue Jul 16 05:36:10 EDT 2002

What I forget to mention was that the FTP server was running on the SNORT
machine, and that the FTP client was on my SYSLOG server (two machines, on
my desk that are "safe" to play around with), to which SNORT forwards

If I use another machine to connect to the FTP server and try to get a file
named "passwd" the connection is dropped as expected.

Presumably, the sending of the syslog message negates the ICMP* messages -
i.e. both machines know they can reach other, cos they just sent/recv a
syslog message. But what about the closing down of the FTP port?


>  -----Original Message-----
> From: 	Beech, Martin  
> Sent:	16 July 2002 12:58
> To:	'snort-users at lists.sourceforge.net'
> Subject:	Flex Response on Win32
> Hi there,
> New to snort. Trying to get it to kill connections under certain
> conditions and getting no joy. I'm using:
> SNORT Version 1.8.7beta5-ODBC-FlexRESP-WIN32 (Build 128)
> LIBNETNT.DLL (binary 1.0.2c) Downloaded from securitybugware.org today
> WPCAP 2.3
> W2K SP2
> I've tried the various libnetnt.dll's around, including the one with the
> distribution of Snort I installed. These either GPF'd or "PacketSendPacket
> fail"ed on me. The one I'm using from securitybugware does not produce
> errors, but it does not kill the connections either. The rule I'm testing
> under is 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval
> attempt"; flags:A+; content:"RETR"; nocase; content:"passwd"; resp:
> rst_all,icmp_all; reference:arachnids,213;
> classtype:suspicious-filename-detect; sid:356;  rev:4;)
> Am I doing something dumb - does the LIBNETNT.DLL need installing in some
> way, rather than just copying to the snort directory?
> Thanks in advance,
> Martin

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you are not the intended addressee, you must 
not disclose, copy or take any action in reliance of this transmission.

Although this message and its contents have been scanned for viruses and no 
viruses were detected, no responsibility whatsoever is accepted by the 
Company, or any of its offices or companies for any loss or damage 
arising in any way from receipt or use thereof.

If you have received this email in error please delete this message and
notify the Polk System Administrator at postmaster at ...6326...

This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit

More information about the Snort-users mailing list