[Snort-users] flexresp2 is back and needs testing

Pedro Fortuna pedro.fortuna at ...11827...
Sat Sep 18 11:49:01 EDT 2004


> I believe the code will be imported to the snort CVS tree soon.

Jeff,
Is it in the the snort CVS tree now? Any new version (i'm running 1.0.2) ?

Best Regards,
Pedro Fortuna

On Thu, 9 Sep 2004 12:03:58 -0400, Jeff Nathan <jeff at ...950...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> On Sep 9, 2004, at 7:02 AM, Pedro Fortuna wrote:
> 
> > Jeff, it seems ok now :)
> >
> > I tried the rule:
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder
> > a FTP com user root!"; flow:to_server,established; content:"USER";
> > nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi";
> > classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;)
> >
> > And tried to access FTP server from a remote computer with username
> > root. Right after typing root and hitting enter, I go this output:
> >
> > remoteserver.foo > ftp homenetwork.ftp.server
> > Connected to homenetwork.ftp.server
> > Name (homenetwork.ftp.server:foo): root
> > 421 Service not available, remote server has closed connection
> > Login failed.
> > No control connection for command: Transport endpoint is not connected
> > ftp> by
> >
> > I think this should be the result expected. I'll do more tests later.
> >
> > Best Regards,
> > Pedro Fortuna
> 
> Pedro,
> 
> excellent.  I'm glad it worked.  Anyone using active response on
> unix-like systems (ie: flexresp) should consider applying the patch I
> sent to the snort-users mailing list.
> 
> I believe the code will be imported to the snort CVS tree soon.
> 
> - -Jeff
> 
> - --
> http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
> Part-time software mechanic, full-time daredevil!
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
> 
> iD8DBQFBQH7yEqr8+Gkj0/0RAn/FAKCjEHe460mtM0icUOl1UGwSxj83tQCfctTa
> tb9i3z5jK5XRdtflcoGUHp8=
> =sebz
> -----END PGP SIGNATURE-----
> 
>




More information about the Snort-users mailing list