[Snort-users] flexresp2 is in CVS

Jeff Nathan jeff at ...950...
Sat Sep 18 15:01:02 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pedro,

Yes, version 1.0.2 is in CVS.  EVERYONE running a CVS version of snort 
with flex response should switch to flex response 2.

- -Jeff

On Sep 18, 2004, at 2:48 PM, Pedro Fortuna wrote:

>> I believe the code will be imported to the snort CVS tree soon.
>
> Jeff,
> Is it in the the snort CVS tree now? Any new version (i'm running 
> 1.0.2) ?
>
> Best Regards,
> Pedro Fortuna
>
> On Thu, 9 Sep 2004 12:03:58 -0400, Jeff Nathan <jeff at ...950...> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On Sep 9, 2004, at 7:02 AM, Pedro Fortuna wrote:
>>
>>> Jeff, it seems ok now :)
>>>
>>> I tried the rule:
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"Tentativa de aceder
>>> a FTP com user root!"; flow:to_server,established; content:"USER";
>>> nocase; content:"root"; distance:1; nocase; pcre:"/^USER\sroot/smi";
>>> classtype:suspicious-login; sid:1000002; rev:2; resp: reset_dest;)
>>>
>>> And tried to access FTP server from a remote computer with username
>>> root. Right after typing root and hitting enter, I go this output:
>>>
>>> remoteserver.foo > ftp homenetwork.ftp.server
>>> Connected to homenetwork.ftp.server
>>> Name (homenetwork.ftp.server:foo): root
>>> 421 Service not available, remote server has closed connection
>>> Login failed.
>>> No control connection for command: Transport endpoint is not 
>>> connected
>>> ftp> by
>>>
>>> I think this should be the result expected. I'll do more tests later.
>>>
>>> Best Regards,
>>> Pedro Fortuna
>>
>> Pedro,
>>
>> excellent.  I'm glad it worked.  Anyone using active response on
>> unix-like systems (ie: flexresp) should consider applying the patch I
>> sent to the snort-users mailing list.
>>
>> I believe the code will be imported to the snort CVS tree soon.
>>
>> - -Jeff
>>
>> - --
>> http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
>> Part-time software mechanic, full-time daredevil!
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.4 (Darwin)
>>
>> iD8DBQFBQH7yEqr8+Gkj0/0RAn/FAKCjEHe460mtM0icUOl1UGwSxj83tQCfctTa
>> tb9i3z5jK5XRdtflcoGUHp8=
>> =sebz
>> -----END PGP SIGNATURE-----
>>
>>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

- --
The most technical single-track security conference in the West.
Vancouver B.C., Canada   April, 2004   http://cansecwest.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBTK/6Eqr8+Gkj0/0RAkFdAJ44Nku2e/vuL+LX+/feI5uW6Rh19ACdH1cf
F26KtmF4SLYY2gz+0bHHar4=
=KWVA
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list