[Snort-users] flexresp2 is back and needs testing

Pedro Fortuna pedro.fortuna at ...11827...
Thu Sep 9 19:28:02 EDT 2004


Jeff, it seems ok now :)

I tried the rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder
a FTP com user root!"; flow:to_server,established; content:"USER";
nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi";
classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;)

And tried to access FTP server from a remote computer with username
root. Right after typing root and hitting enter, I go this output:

remoteserver.foo > ftp homenetwork.ftp.server
Connected to homenetwork.ftp.server
Name (homenetwork.ftp.server:foo): root
421 Service not available, remote server has closed connection
Login failed.
No control connection for command: Transport endpoint is not connected
ftp> by

I think this should be the result expected. I'll do more tests later.

Best Regards,
Pedro Fortuna

On Thu, 9 Sep 2004 01:01:35 -0400, Jeff Nathan <jeff at ...950...> wrote:
> Erg..
> 
> Sorry about that.  Try the attached patch (version 1.0.2) instead, OK?
> 
> -Jeff
> 
> 
> 
> 
> On Sep 8, 2004, at 8:58 PM, Pedro Fortuna wrote:
> 
> > Jeff, I did, I used the sp_respond2.diff.gz you sent today directly to
> > my (other) mail box (pfeito_at_netcabo.pt) and to other 6 or 7 guys.
> >
> > I'm going to repeat the process as I type this e-mail:
> >
> > Installation (you can see filesize and confirm that it is version
> > 1.0.1):
> > -rw-r--r--  1 root root  16414 Sep  9 02:55 sp_respond2.diff.gz
> >
> > # gzip -d sp_respond2.diff.gz
> >
> > -rw-r--r--  1 root root  66323 Sep  9 02:55 sp_respond2.diff
> >
> > # patch ?p0 < sp_respond2.diff
> > patching file configure.in
> > patching file doc/Makefile.am
> > patching file doc/README.FLEXRESP2
> > patching file src/parser.c
> > patching file src/plugbase.c
> > patching file src/snort.h
> > patching file src/detection-plugins/Makefile.am
> > patching file src/detection-plugins/sp_react.c
> > patching file src/detection-plugins/sp_react.h
> > patching file src/detection-plugins/sp_respond.c
> > patching file src/detection-plugins/sp_respond.h
> > patching file src/detection-plugins/sp_respond2.c
> > patching file src/detection-plugins/sp_respond2.h
> >
> > # aclocal
> > # autoheader
> > # automake
> > # autoconf
> >
> > # ./configure --with-mysql=/usr/local/mysql --enable-flexresp2
> > # make
> > # make install
> > # /etc/init.d/snort start
> > # grep "sp_respond" /var/log/messages
> > Sep  9 03:08:29 paco snort: FATAL ERROR: sp_respond2: Unable to
> > allocate hash table memory.
> >
> > And Snort stops running.
> > I didnt saw this problem on the previous version that you sent me 2 or
> > 3 weeks ago.
> >
> > Any clues?
> >
> > Best Regards,
> > Pedro Fortuna
> >
> 
> --
> The original EZ-bake packet oven.
> http://nemesis.sourceforge.net
> 
> 
> 
> 
>




More information about the Snort-users mailing list