[Snort-users] problems with alert_smb and flexresp
roesch at ...1935...
Fri Mar 15 06:41:12 EST 2002
On 3/15/02 4:41 AM, "counter.spy at ...348..." <counter.spy at ...348...> wrote:
> Hi folks,
> I hope this is no drinking question ;-)
> I was not able to get smbalerts and the resp: rst_all to work, although I
> think I have
> configured snort correctly:
> ./configure --with-mysql --enable-smbalerts --enable-flexresp; make
> and I think I can remember seeing the appropriate DENABLE variables floating
> over the screen during compile time.
> Maybe I have misunderstood something?
> alert_smb: <alert workstation filename>
> output alert_smb: workstation.list
> I have added to my snort.conf:
> output alert_smb: /root/snort/smbhosts
Is smbclient in the $PATH of the environment that Snort is running under?
If it's not it won't work.
> Now to the flexresp problem:
> I have no IP Address assigned to the sniffing interface. Maybe that is a
> reason for snort
> not being able to reset the connections. I cannot see any RST packets in
> My original idea was that libnet should be able to spoof IP Addresse
> regardless if the interface has an IP address assigned or not, but maybe I am
I think you're wrong. Try it with an IP on the interface and see if it
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users