[Snort-users] problems with alert_smb and flexresp

counter.spy at ...348... counter.spy at ...348...
Fri Mar 15 01:42:07 EST 2002


Hi folks,
I hope this is no drinking question ;-)

I was not able to get smbalerts and the resp: rst_all to work, although I
think I have
configured snort correctly:
./configure --with-mysql --enable-smbalerts --enable-flexresp; make

and I think I can remember seeing the appropriate DENABLE variables floating
over the screen during compile time.

Maybe I have misunderstood something?

Format
alert_smb: <alert workstation filename> 
output alert_smb: workstation.list 

I have added to my snort.conf:
output alert_smb: /root/snort/smbhosts

Where smbhosts contains only one Netbiosname of the machine that should be
notified.
I have also tried to give the IP address instead.
My smb client on SuSE 7.3 works - I have checked this, too.
Snort does not complain about this, but it does not say anything like:
"configured to use smbalerts" 
either. 

I also thought, maybe I have to add the line:
alert_smb: <workstation.list> 
to the config file or to use this syntax to specify the hosts within the
file smbhosts.
None of these variants worked.

Now to the flexresp problem:
I have no IP Address assigned to the sniffing interface. Maybe that is a
reason for snort
not being able to reset the connections. I cannot see any RST packets in
tcpdump.
My original idea was that libnet should be able to spoof IP Addresse
regardless if the interface has an IP address assigned or not, but maybe I am wrong
here?
I actually can see snort writing something like "libnet critical" to the
prompt.

Thanks for your help.

Regards,
D. Liesen 

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list