[Snort-users] Why resp and session option Dont work!?

Jeremy Hewlett jh at ...1935...
Fri Jan 30 12:41:51 EST 2004


On Wed, Jan 28, soldier Mx wrote:
> alert tcp any any -> $HOME_NET 22 (msg: "Alguien se
> loguio por ssh checa los logs!"; session:printable;)

What is it you're expecting to catch here? SSH is encrypted, there
isn't any viewable session here.

> and the other thing is, that if RESP really works ???
> i have been testing it, and i cant disconnect or reset
> the TCP conection of some user that matched the rule..

There's always a race condition here... if your RST is received after
other packets in the connection, it will be out of sync, and ignored.
You might want to try FlexResp2, it's better at dealing with this. You
would always run tcpdump along with Snort to see what's going on.








More information about the Snort-users mailing list