[Snort-users] Snort+flexresp

Sam sam at ...5202...
Thu Mar 14 06:49:12 EST 2002


Actually, I disagree with the statement saying that you cannot reset on
rules that contain pattern matching.  We are using resp: rst_snd on
several different rules that contain pattern matching in them.  (looking
for content strings, tcp flags, etc..) and they are working fine.

FWIW, it says *nothing* about the resp keyword not working with pattern
matching in the manual...

-Sam

On Thu, 14 Mar 2002, Sonika Malhotra wrote:

>
>
> "Bamm (Robert) Visscher" wrote:
>
> > If you did not observe a RST packet at all, then the rule you created
> > did not trigger correctly or at all. Once a packet matches a rule with a
> > resp: directive, the appropriate response packet (rst or ICMP) is going
> > to be sent. Whether or not the response will be effective, depends on
> > the accuracy of the snort crafted response packet(s).
> >
> > FWIW, if you are trying to create a rule to kill HTTP connections on
> > detection of "cmd.exe" (or a content rule of any type in HTTP), then
> > forget it. It will rarely be effective.
>
> Please elaborate on this, why the resp' option works for rules of type
> alert tcp any any-> x.x.x.x pp (resp:rst_all; msg:"aiiee";)
> and not in general for pattern matching rules.
> thanx .
> sm
>
> >
> >
> > Bammkkkk
> >
> > On Wed, 2001-03-14 at 08:56, skill2die4 wrote:
> > >
> > > Hi:
> > >
> > > I was working on flexREsp in my lab and the set-up was :
> > >
> > > ----------               ----------
> > > -  compA - +++++++++++++ -  compB -
> > > ----------               ----------
> > >
> > > +++ = crossover
> > >
> > > compA = running snort
> > > compB = testing machine
> > >
> > >
> > > So, in my case even though FLEXRESP might be installed
> > > properly; it wasn't replying to packets with a RST packet (as per
> > > the rules that I created) due to time frame given to snort to create the
> > > packet(as per my understanding now...thanks to ROEL)
> > >
> > >
> > > Questions:
> > > ----------
> > >
> > > 1. Was it was because the compA replied before snort could craft the
> > > reply packet?
> > >
> > > 2. Even if so, I should have seen at least a single RST(even though with
> > > delayed sequence number) packet ?
> > >
> > > 3. Since I didn't saw even a single RST packet over the network, should
> > > I ASSume that the problem lies with my installation or rulesets ?
> > >
> > > 4. How can I create network DELAYS in the Lab environment?
> > > [** MOST IMPORTANT **]
> > >
> > >
> > >
> > > Thanks!
> > >
> > >
> > > Skill2die4
> > >
> > >
> >
> >   ------------------------------------------------------------------------
> >                        Name: signature.asc
> >    signature.asc       Type: application/pgp-signature
> >                 Description: This is a digitally signed message part
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list