[Snort-users] FlexResp (Not working?)

Carlos Kumbak ckumbak at ...1331...
Tue Jan 21 22:16:02 EST 2003


Hi,

I need a help from you guys...

I'm using:
-Snort 1.9 (--enable-flexresp)
-Libpcap 0.7.1
-Libnet 1.0.2a

Some time ago (the older snort versions) It was possible
to abort connections using flexresp... Let's say that
I'm running snort with the following rule (that works
before):

-----------------------
alert tcp any any -> any 25
(msg:"test";content:"test123";resp:rst_all;)
-----------------------

Snort started without problems...

Now... from another computer I try:

-----------------------
telnet gateway 25
Trying XX.XX.XX.XX...
Connected to gateway
Escape character is '^]'.
220 gateway (experimental box) ESMTP
-----------------------

Then I type:
-----------------------
test123 <enter>
500 5.5.1 Command unrecognized: "test123"
-----------------------

Snort identifies the content but didn't droped the
connection...
-----------------------
Jan 22 02:05:08 gateway snort: [1:0:0] test <eth0> {TCP}
XXX.XXX.XXX.XXX:53344 -> XXX.XXX.XXX.XXX:25
-----------------------

I remember that this rule works before... I used
flexresp lot... but now I'm losing my mind to try
understand what is wrong.

Please... may someone help?


Best regards.
__________________
Carlos Kumbak
ckumbak at ...1331...



__________________________________________________________________________
E-mail Premium BOL
Antivírus, anti-spam e até 100 MB de espaço. Assine já!
http://email.bol.com.br/






More information about the Snort-users mailing list