[Snort-users] flexresp2 is back and needs testing
pedro.fortuna at ...11827...
Thu Sep 9 19:28:02 EDT 2004
Jeff, it seems ok now :)
I tried the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder
a FTP com user root!"; flow:to_server,established; content:"USER";
nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi";
classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;)
And tried to access FTP server from a remote computer with username
root. Right after typing root and hitting enter, I go this output:
remoteserver.foo > ftp homenetwork.ftp.server
Connected to homenetwork.ftp.server
Name (homenetwork.ftp.server:foo): root
421 Service not available, remote server has closed connection
No control connection for command: Transport endpoint is not connected
I think this should be the result expected. I'll do more tests later.
On Thu, 9 Sep 2004 01:01:35 -0400, Jeff Nathan <jeff at ...950...> wrote:
> Sorry about that. Try the attached patch (version 1.0.2) instead, OK?
> On Sep 8, 2004, at 8:58 PM, Pedro Fortuna wrote:
> > Jeff, I did, I used the sp_respond2.diff.gz you sent today directly to
> > my (other) mail box (pfeito_at_netcabo.pt) and to other 6 or 7 guys.
> > I'm going to repeat the process as I type this e-mail:
> > Installation (you can see filesize and confirm that it is version
> > 1.0.1):
> > -rw-r--r-- 1 root root 16414 Sep 9 02:55 sp_respond2.diff.gz
> > # gzip -d sp_respond2.diff.gz
> > -rw-r--r-- 1 root root 66323 Sep 9 02:55 sp_respond2.diff
> > # patch ?p0 < sp_respond2.diff
> > patching file configure.in
> > patching file doc/Makefile.am
> > patching file doc/README.FLEXRESP2
> > patching file src/parser.c
> > patching file src/plugbase.c
> > patching file src/snort.h
> > patching file src/detection-plugins/Makefile.am
> > patching file src/detection-plugins/sp_react.c
> > patching file src/detection-plugins/sp_react.h
> > patching file src/detection-plugins/sp_respond.c
> > patching file src/detection-plugins/sp_respond.h
> > patching file src/detection-plugins/sp_respond2.c
> > patching file src/detection-plugins/sp_respond2.h
> > # aclocal
> > # autoheader
> > # automake
> > # autoconf
> > # ./configure --with-mysql=/usr/local/mysql --enable-flexresp2
> > # make
> > # make install
> > # /etc/init.d/snort start
> > # grep "sp_respond" /var/log/messages
> > Sep 9 03:08:29 paco snort: FATAL ERROR: sp_respond2: Unable to
> > allocate hash table memory.
> > And Snort stops running.
> > I didnt saw this problem on the previous version that you sent me 2 or
> > 3 weeks ago.
> > Any clues?
> > Best Regards,
> > Pedro Fortuna
> The original EZ-bake packet oven.
More information about the Snort-users