[Snort-users] Flexresp is not working

Dmitry dvk99 at ...1975...
Fri Feb 13 08:15:00 EST 2004


Config:
SuSE 8.0,
Snort! 2.1.1-RC1 (Build 18), configured with --enable-flexresp option,
libnet - 1.02a.


Standart CHAT rules:
1.
alert tcp any any -> any any (msg:"CHAT ICQ access"; \
content:"aim_http"; \
nocase; resp: rst_all;)


2.
alert tcp any 80 -> any any (msg:"CHAT ICQ forced user addition"; \
flow:established,to_client; \
content:"Content-Type\: application/x-icq"; \
content:"[ICQ User]"; \
reference:bugtraq,3226; \
reference:cve,CAN-2001-1305; \
classtype:misc-activity; \
sid:1832; \
rev:3; \
resp: rst_all;)



I use ICQ with anonymous HHTP proxy, 205.188.213.228:80
and get next snort's logs:

[**] (http_inspect) BARE BYTE UNICODE ENCODING [**]
02/13-18:32:20.286062 192.168.1.16:2264 -> 205.188.213.228:80
TCP TTL:128 TOS:0x0 ID:7606 IpLen:20 DgmLen:337 DF
***AP*** Seq: 0x4CEBDCFB  Ack: 0x37B7DFC2  Win: 0xFAF0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] CHAT ICQ access [**]
02/13-18:32:20.889756 205.188.213.228:80 -> 192.168.1.16:2264
TCP TTL:64 TOS:0x0 ID:5879 IpLen:20 DgmLen:376 DF
***AP*** Seq: 0x3776FFC2  Ack: 0x4CEEEB63  Win: 0x1920  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

... and so on many-many messages.

But ICQ connection IS ALIVE and don't break at all.
What i'm wrong??? Where is FLEXRESP??


WBR, Dmitry Komarov.





More information about the Snort-users mailing list