[Snort-users] flexresp2 is back and needs testing
jeff at ...950...
Thu Sep 9 09:05:04 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Sep 9, 2004, at 7:02 AM, Pedro Fortuna wrote:
> Jeff, it seems ok now :)
> I tried the rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder
> a FTP com user root!"; flow:to_server,established; content:"USER";
> nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi";
> classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;)
> And tried to access FTP server from a remote computer with username
> root. Right after typing root and hitting enter, I go this output:
> remoteserver.foo > ftp homenetwork.ftp.server
> Connected to homenetwork.ftp.server
> Name (homenetwork.ftp.server:foo): root
> 421 Service not available, remote server has closed connection
> Login failed.
> No control connection for command: Transport endpoint is not connected
> ftp> by
> I think this should be the result expected. I'll do more tests later.
> Best Regards,
> Pedro Fortuna
excellent. I'm glad it worked. Anyone using active response on
unix-like systems (ie: flexresp) should consider applying the patch I
sent to the snort-users mailing list.
I believe the code will be imported to the snort CVS tree soon.
http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD)
Part-time software mechanic, full-time daredevil!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-users