[Snort-users] FlexResp settings
mvr_it at ...125...
Wed Apr 6 13:50:05 EDT 2005
I tried resp:rst_all in the rules.
I am not getting any alerts when this setting is done.If this is removed
then I am getting
What could be the problem.
I want to get all alerts even the flexresp is added.How can I do
>From: Carlos Baños Oliva <carlos at ...13246...>
>To: <mvr_it at ...125...>
>Subject: Error running Snort
>Date: Sun, 20 Mar 2005 18:44:53 -0500
>About the error you get when you don't specify the -l switch in command
>line is because it try to find "/var/log/snort". As you are running snort
>on Windows, it won't (of course) find that path. (remember snort was born
>on Unix/Linux environment)
>I'm not a "Guru" on snort but I'm using it for a year and I have tested the
>FlexResp in its rules, for example:
>alert tcp any any -> $HOME_NET $NETBIOS_PORTS (msg: "DCOM_RPC exploits";
>flags: S; content: "|03 4C BB 00 00 01|"; resp: rst_all;)
>It would close all connectios from outside trying to access any internal PC
>with that vulnerability. I have tested that rule and it works !.
>Greetings and good luck !
Expressions unlimited! http://server1.msn.co.in/sp04/messenger/ The all new
More information about the Snort-users