[Snort-users] Flexible Response

kongi kongi at ...10560...
Fri Nov 14 14:02:19 EST 2003


On Fri, Nov 14, 2003 at 01:40:05PM -0500, snort wrote:

> 	This version is statically compiled with flexible response 
> 
> 	I rpm -qip snort-2.0.4 and it states that flexible response is
> compiled into the package,
> 	but when I create a rule and use the resp keyword I get the below
> error. 
>       I have also tried to use the react option and I get the same error.
> 
> 	Warning: /etc/snort/rules/icmp.rules(44) => Unknown keyword 'resp'
> in rule!
> Warning: /etc/snort/rules/icmp.rules(44) => Unknown keyword 'react' in rule!
> 

if U user fles_resp (1) - U must, define in config (example):
# reset sender
var RESP_TCP resp:rst_snd;
var RESP_TCP2 resp:rst_rcv;

#reset all
var RESP_TCP_URG resp:rst_all;

#var RESP_UDP resp:icmp_port,icmp_host;
var RESP_UDP resp:icmp_host;

or, if U user fles_resp2, U must configure --fles_resp2 (not 
documented in configure --help)

I thing, U use rules contrib - where define fles_resp2

regards
-->k




More information about the Snort-users mailing list