[Snort-users] Resp/React Firing Problem/Bug

MASM mrclst at ...6126...
Tue Jun 18 13:53:02 EDT 2002


Hi,

I'm doing some tests with the 1.8.6 snort version (the stable one) with
FlexResp (that needs some testing, I know).
I wrote a rule (in local.rules) similar to one of the default except on the
content string and with the resp:rst_all keyword:

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET roote login";
content:"login\: roote"; flags: A+; classtype:suspicious-login; sid:719000;
rev:2; resp:rst_all;)

What happened was that after I do 'login: roote' the connection is dropped
right after the Login incorrect message. But the same happens if I do 
'login:
xpto', or anything else that causes the match of the default rule:

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect";
content:"Login incorrect"; flags:A+; reference:arachnids,127;
classtype:bad-unknown; sid:718;  rev:5;)

After enabling debug, analysing it and some digging on the code I found out
that the Resp or React keyword associated functions are not attached to the
OTN (option tree node) of the rule (like other keywords) but they are
attached to the RTN (rule tree node) of the rule. Which means (I suppose)
that all the rules with the same header will have the response triggered 
and
will have their connections dropped. I found in the debug output that the
previous default rule is on the same RTN (among others) of the one 
created by
me.

What is the reason for this implementation option, and how can I solve this
problem (bug or not)?

In the meanwhile I found out another strange small bug with the rev 
keyword,
without it the rule does not respond with rst.

These are problems only with the response feature, alerts are just fine!

        Hoping for an answer,

                MASM





More information about the Snort-users mailing list