[Snort-users] FlexResp settings

Mr. venkat mvr_it at ...125...
Wed Apr 6 13:50:05 EDT 2005


Hi ,
      I tried resp:rst_all in the rules.
I am not getting any alerts when this setting is done.If this is removed 
then I am getting
all alerts.
What could be the problem.
       I want to get all alerts even the flexresp is added.How can I do 
this..

Thanks,
Ramana...


>From: Carlos Baños Oliva <carlos at ...13246...>
>To: <mvr_it at ...125...>
>Subject: Error running Snort
>Date: Sun, 20 Mar 2005 18:44:53 -0500
>
>Hi:
>
>
>About the error you get when you don't specify the -l switch in command 
>line is because it try to find "/var/log/snort". As you are running snort 
>on Windows, it won't (of course) find that path. (remember snort was born 
>on Unix/Linux environment)
>
>I'm not a "Guru" on snort but I'm using it for a year and I have tested the 
>FlexResp in its rules, for example:
>
>alert tcp any any -> $HOME_NET $NETBIOS_PORTS (msg: "DCOM_RPC exploits"; 
>flags: S; content: "|03 4C BB 00 00 01|"; resp: rst_all;)
>
>It would close all connectios from outside trying to access any internal PC 
>with that vulnerability. I have tested that rule and it works !.
>
>Greetings and good luck !
>Carlos

_________________________________________________________________
Expressions unlimited! http://server1.msn.co.in/sp04/messenger/ The all new 
MSN Messenger!





More information about the Snort-users mailing list