[Snort-users] problems with alert_smb and flexresp

counter.spy at ...348... counter.spy at ...348...
Fri Mar 15 01:42:07 EST 2002

Hi folks,
I hope this is no drinking question ;-)

I was not able to get smbalerts and the resp: rst_all to work, although I
think I have
configured snort correctly:
./configure --with-mysql --enable-smbalerts --enable-flexresp; make

and I think I can remember seeing the appropriate DENABLE variables floating
over the screen during compile time.

Maybe I have misunderstood something?

alert_smb: <alert workstation filename> 
output alert_smb: workstation.list 

I have added to my snort.conf:
output alert_smb: /root/snort/smbhosts

Where smbhosts contains only one Netbiosname of the machine that should be
I have also tried to give the IP address instead.
My smb client on SuSE 7.3 works - I have checked this, too.
Snort does not complain about this, but it does not say anything like:
"configured to use smbalerts" 

I also thought, maybe I have to add the line:
alert_smb: <workstation.list> 
to the config file or to use this syntax to specify the hosts within the
file smbhosts.
None of these variants worked.

Now to the flexresp problem:
I have no IP Address assigned to the sniffing interface. Maybe that is a
reason for snort
not being able to reset the connections. I cannot see any RST packets in
My original idea was that libnet should be able to spoof IP Addresse
regardless if the interface has an IP address assigned or not, but maybe I am wrong
I actually can see snort writing something like "libnet critical" to the

Thanks for your help.

D. Liesen 

GMX - Die Kommunikationsplattform im Internet.

More information about the Snort-users mailing list