[Snort-users] win32 snort (resp + react)

Rich Adamson radamson at ...2127...
Sun Jul 6 11:20:08 EDT 2003


Jon,

> im attempting 2 simple rules as a test (on win32 port):
> 
> alert tcp $HOME any -> any 80 (msg: "Port 80"; resp: rst_snd;)
> alert tcp $HOME any -> any 81 (msg: "Port 81"; react: block;)
> 
> the first one tells me that resp is a bad keyword.

The Win32 executable that Jeff sent all of us for testing had a bug
in it that kept "resp:" from being recognized as a keyword. After he
corrected that, I also noticed the keyword had no impact (eg, rst_snd
was not sent).
 
> the second actually can have block, warn, msg ... but on an outgoing
> connection nothing really happens.  im expecting snort to kill the
> connection and not allow a request through (but the laptop still gets the
> content).
> 
> am i missing something?

Not missing a thing. Jeff was going to debug the code this weekend. If 
his weekend is/was as busy as mine, it will probably be a few days 
before we hear anything.

Rich






More information about the Snort-users mailing list