[Snort-users] Snort+flexresp

Bamm (Robert) Visscher rvisscher at ...2107...
Wed Mar 13 13:58:21 EST 2002


If you did not observe a RST packet at all, then the rule you created
did not trigger correctly or at all. Once a packet matches a rule with a
resp: directive, the appropriate response packet (rst or ICMP) is going
to be sent. Whether or not the response will be effective, depends on
the accuracy of the snort crafted response packet(s). 

FWIW, if you are trying to create a rule to kill HTTP connections on
detection of "cmd.exe" (or a content rule of any type in HTTP), then
forget it. It will rarely be effective.

Bammkkkk

On Wed, 2001-03-14 at 08:56, skill2die4 wrote:
> 
> Hi:
> 
> I was working on flexREsp in my lab and the set-up was : 
> 
> ----------               ----------
> -  compA - +++++++++++++ -  compB -
> ----------               ----------
> 
> +++ = crossover
> 
> compA = running snort
> compB = testing machine
> 
> 
> So, in my case even though FLEXRESP might be installed 
> properly; it wasn't replying to packets with a RST packet (as per
> the rules that I created) due to time frame given to snort to create the
> packet(as per my understanding now...thanks to ROEL)
> 
> 
> Questions:
> ----------
> 
> 1. Was it was because the compA replied before snort could craft the
> reply packet?
> 
> 2. Even if so, I should have seen at least a single RST(even though with
> delayed sequence number) packet ?
> 
> 3. Since I didn't saw even a single RST packet over the network, should
> I ASSume that the problem lies with my installation or rulesets ?
> 
> 4. How can I create network DELAYS in the Lab environment?
> [** MOST IMPORTANT **]
> 
> 
> 
> Thanks!
> 
> 
> Skill2die4
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020313/1ba18640/attachment.sig>


More information about the Snort-users mailing list