[Snort-users] Snort+flexresp

Sonika Malhotra sonikam at ...4044...
Thu Mar 14 02:29:05 EST 2002


"Bamm (Robert) Visscher" wrote:

> If you did not observe a RST packet at all, then the rule you created
> did not trigger correctly or at all. Once a packet matches a rule with a
> resp: directive, the appropriate response packet (rst or ICMP) is going
> to be sent. Whether or not the response will be effective, depends on
> the accuracy of the snort crafted response packet(s).
>
> FWIW, if you are trying to create a rule to kill HTTP connections on
> detection of "cmd.exe" (or a content rule of any type in HTTP), then
> forget it. It will rarely be effective.

Please elaborate on this, why the resp' option works for rules of type
alert tcp any any-> x.x.x.x pp (resp:rst_all; msg:"aiiee";)
and not in general for pattern matching rules.
thanx .
sm

>
>
> Bammkkkk
>
> On Wed, 2001-03-14 at 08:56, skill2die4 wrote:
> >
> > Hi:
> >
> > I was working on flexREsp in my lab and the set-up was :
> >
> > ----------               ----------
> > -  compA - +++++++++++++ -  compB -
> > ----------               ----------
> >
> > +++ = crossover
> >
> > compA = running snort
> > compB = testing machine
> >
> >
> > So, in my case even though FLEXRESP might be installed
> > properly; it wasn't replying to packets with a RST packet (as per
> > the rules that I created) due to time frame given to snort to create the
> > packet(as per my understanding now...thanks to ROEL)
> >
> >
> > Questions:
> > ----------
> >
> > 1. Was it was because the compA replied before snort could craft the
> > reply packet?
> >
> > 2. Even if so, I should have seen at least a single RST(even though with
> > delayed sequence number) packet ?
> >
> > 3. Since I didn't saw even a single RST packet over the network, should
> > I ASSume that the problem lies with my installation or rulesets ?
> >
> > 4. How can I create network DELAYS in the Lab environment?
> > [** MOST IMPORTANT **]
> >
> >
> >
> > Thanks!
> >
> >
> > Skill2die4
> >
> >
>
>   ------------------------------------------------------------------------
>                        Name: signature.asc
>    signature.asc       Type: application/pgp-signature
>                 Description: This is a digitally signed message part





More information about the Snort-users mailing list