[Snort-users] problems with alert_smb and flexresp

Martin Roesch roesch at ...1935...
Fri Mar 15 06:41:12 EST 2002


On 3/15/02 4:41 AM, "counter.spy at ...348..." <counter.spy at ...348...> wrote:

> Hi folks,
> I hope this is no drinking question ;-)
> 
> I was not able to get smbalerts and the resp: rst_all to work, although I
> think I have
> configured snort correctly:
> ./configure --with-mysql --enable-smbalerts --enable-flexresp; make
> 
> and I think I can remember seeing the appropriate DENABLE variables floating
> over the screen during compile time.
> 
> Maybe I have misunderstood something?
> 
> Format
> alert_smb: <alert workstation filename>
> output alert_smb: workstation.list
> 
> I have added to my snort.conf:
> output alert_smb: /root/snort/smbhosts

Is smbclient in the $PATH of the environment that Snort is running under?
If it's not it won't work.

> Now to the flexresp problem:
> I have no IP Address assigned to the sniffing interface. Maybe that is a
> reason for snort
> not being able to reset the connections. I cannot see any RST packets in
> tcpdump.
> My original idea was that libnet should be able to spoof IP Addresse
> regardless if the interface has an IP address assigned or not, but maybe I am
> wrong
> here?

I think you're wrong.  Try it with an IP on the interface and see if it
works.

     -Marty

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list