[Snort-users] problems with alert_smb and flexresp

counter.spy at ...348... counter.spy at ...348...
Mon Mar 18 09:01:06 EST 2002


Hello all,
just wanted to post that Flexresp now works great for me (many thanks
Martin!).
I have tested the "resp: rst_all" with my own SubSeven rules and it worked
like a charm. 
Gee, this is really impressive! 
Cool feature, although I know it's use is not recommended by most IDS
specialists.

SMBalerts still don't work. I have checked the PATH variable and found it
was okay.
Now I used tcpdump in order to see if snort sends any Netbios requests, and
yes, it does.
So the problem is not with snort, I think, but with my misconfiguration.
The SMB host replies with "netbiosname not present" and "connection
refused".
Maybe someone could give me a hint on which syntax to use in the smbhosts
file?
Is the syntax similar to the lmhosts file of Windows boxes?

I have tried several variants but none of them worked.
Maybe someone can give me a sample entry for the snort smb hosts list.

Thanks again!
Greetings,
D.Liesen
----------------------original message------------------------------------

On 3/15/02 4:41 AM, "counter.spy at ...348..." <counter.spy at ...348...> wrote:

> Hi folks,
> I hope this is no drinking question ;-)
> 
> I was not able to get smbalerts and the resp: rst_all to work, although I
> think I have
> configured snort correctly:
> ./configure --with-mysql --enable-smbalerts --enable-flexresp; make
> 
> and I think I can remember seeing the appropriate DENABLE variables
floating
> over the screen during compile time.
> 
> Maybe I have misunderstood something?
> 
> Format
> alert_smb: <alert workstation filename>
> output alert_smb: workstation.list
> 
> I have added to my snort.conf:
> output alert_smb: /root/snort/smbhosts

Is smbclient in the $PATH of the environment that Snort is running under?
If it's not it won't work.

> Now to the flexresp problem:
> I have no IP Address assigned to the sniffing interface. Maybe that is a
> reason for snort
> not being able to reset the connections. I cannot see any RST packets in
> tcpdump.
> My original idea was that libnet should be able to spoof IP Addresse
> regardless if the interface has an IP address assigned or not, but maybe I
am
> wrong
> here?

I think you're wrong.  Try it with an IP on the interface and see if it
works.

     -Marty

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net



-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list