[Snort-users] Snort v1.9.0 on Win2k: resp error

Rich Adamson radamson at ...2127...
Sat Jan 4 13:14:06 EST 2003


> Snort v1.9.0 on a Win2kPro box. Runs fine, alerts logged to syslog fine,
> all is well, except...
> 
> Installed the FlexResp_Release version from silicondefense and tested
> all basic functions used in the previous stripped version. Now trying
> to play with "resp:rst_snd" for the first time. Been using a basic
> telnet any->any rule for testing, which does cause proper alerts and
> syslog entries (for testing purposes).  However, the "resp:rst_snd" 
> option causes repeated:
>   PacketSendPacket failed
> error in the command line window.
> 
> Anyone know whether the error is associated with snort, libpcap, or
> libnetnt.dll?
> 
> I'm thinking my libpcap might be old, but don't really have a clue at
> this point.

To reply to my post...

I found the problem. The LibnetNT.dll included in the Windows
distribution is an old version and apparently does not support
the "resp:rst_snd" rule option within snort. Replacing this dll
with a newer one (v1.1.0) from www.packetfactory.net/libnet
corrected the problem.

Also, several syntax errors in the README.FLEXRESP that is
distributed. This file suggests a syntax of "resp=rst_snd",
which causes snort to barf. The correct systax is "resp:rst_snd".





More information about the Snort-users mailing list