[Snort-users] flexresp2 is back and needs testing

Jeff Nathan jeff at ...950...
Thu Sep 9 09:05:04 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sep 9, 2004, at 7:02 AM, Pedro Fortuna wrote:

> Jeff, it seems ok now :)
>
> I tried the rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder
> a FTP com user root!"; flow:to_server,established; content:"USER";
> nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi";
> classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;)
>
> And tried to access FTP server from a remote computer with username
> root. Right after typing root and hitting enter, I go this output:
>
> remoteserver.foo > ftp homenetwork.ftp.server
> Connected to homenetwork.ftp.server
> Name (homenetwork.ftp.server:foo): root
> 421 Service not available, remote server has closed connection
> Login failed.
> No control connection for command: Transport endpoint is not connected
> ftp> by
>
> I think this should be the result expected. I'll do more tests later.
>
> Best Regards,
> Pedro Fortuna

Pedro,

excellent.  I'm glad it worked.  Anyone using active response on 
unix-like systems (ie: flexresp) should consider applying the patch I 
sent to the snort-users mailing list.

I believe the code will be imported to the snort CVS tree soon.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
Part-time software mechanic, full-time daredevil!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBQH7yEqr8+Gkj0/0RAn/FAKCjEHe460mtM0icUOl1UGwSxj83tQCfctTa
tb9i3z5jK5XRdtflcoGUHp8=
=sebz
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list