[Snort-users] RE: Resp and React keywords don't work?

Erek Adams erek at ...577...
Thu Mar 28 10:40:05 EST 2002


On Thu, 28 Mar 2002, Sheahan, Paul (PCLN-NW) wrote:

> I appreciate your help Erek.

:)

> Here's what I've done so far. I killed all running Snort processes. I
> downloaded Libnet.tar.gz (current, stable version) and it appeared to
> compile fine.
>
> I reran ./configure --enable-flexresp from the snort-1.8.4 directory and all
> worked fine. Then I ran make and make install again and those appeared to
> run fine as well.

Ok.  First off make sure you are using the 'right version of snort.'  Build a
non-flex version that works, w/o that rule....  Install it.  Go to where you
installed it and cp snort snort-1.8.4-noflex.  Next go and build one with
flex-resp enabled.  Install it.  Go to the install dir and cp snort
snort-1.8.4-with-flexresp.  Now a 'ls -la' should give two different
versions/sizes if everything is right.

> The rule I created is:
> # alert tcp any any -> $HOME_NET 80 (msg:"Backup access prohibited!";
> uricontent: "/backup"; resp:rst_all;)

Try adding a space after the 'resp:'.  IOW, 'resp: rst_all'.

> Then I executed Snort using:
> /usr/local/bin/snort -A fast -c /etc/snort/test.conf -i eth0 -l /test -o -N
> -b -L testtraces

Then when you start, use one with flex-resp and one without.  If you get the
same error, then something is odd.  :)

> I just downloaded "snort-plain+flexresp-1.8.4-1snort.i386.rpm" and tried to
> install that for the heck of it. It said it needed Snort1.8.4 and quit (even
> though Snort 1.8.4 is already installed!). Boy, I'm having a bad day! Any
> ideas?

See why I don't like RPM's?  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list