neil at ...4898...
Thu Mar 28 07:52:07 EST 2002
Ok. I created a rule.
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP access from
anonymous"; flags:!R ; resp:rst_all;content:"anonymous";
classtype:not-suspicious; sid:1717; rev:2;)
And here is the log:
[**] [1:1717:2] FTP access from anonymous [**]
[Classification: Not Suspicious Traffic] [Priority: 3]
03/28-09:45:49.271952 192.168.0.112:1062 -> 126.96.36.199:21
TCP TTL:64 TOS:0x10 ID:60673 IpLen:20 DgmLen:68 DF
***AP*** Seq: 0xF518481 Ack: 0x678EB95E Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 11758512 213343883
You mentioned that flex-resp is friendly to ssh, ftp, .etc. How come my
wasn't kill by my rule?
What's wrong with my rule? I even tried it with flags: A+, still didn't
But I still admin that I am not good on those flags.
----- Original Message -----
From: "Bamm Visscher" <bamm at ...539...>
To: "Ronneil Camara" <ronneilc at ...4042...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, March 27, 2002 7:06 AM
Subject: RE: [Snort-users] Snort+flexresp
> There is no way to force flex-resp to be successful against HTTP. Most
> of the time, the source of an HTTP connection sends five packets. Two
> for establishing the session (syn then ack), and two to tear down the
> session (fin/ack and ack). Plus one that contains the GET/POST/etc
> request (usually a push/ack). It is impossible for flex-resp to kill
> this session before the dest gets the GET/POST/etc, and thus it is
> impossible to create a rule to prevent the server from processing the
> GET/POST/etc request. If for some reason, the GET/POST/etc contains so
> much data that it is spread across multiple packets, then you may have a
> slim chance at killing the session before the dest processes the request
> (may the network lag be with you).
> The dest is going to send as many packets as it takes to return the info
> requested, but killing the connection at that time is almost pointless
> since the server has already processed the perps request/command. At
> best you might prevent the perp from seeing all the results of a
> directory listing.
> BTW, this is not a snort specific problem. It affect every IDS using
> tcp-resets to kill connections.
> On Wed, 2002-03-27 at 00:36, Ronneil Camara wrote:
> > Hi Bamm,
> > I got impressed on how you answered your every post on this thread.
> > So now, what can you suggest me so that flex-resp will be successful on
> > killing connections let say for http?
> > Thank you very much.
> > Neil
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users