[Snort-users] snort 2.3.3 --enable-flexresp
rosa.schwein at ...12989...
Wed Apr 27 15:19:10 EDT 2005
thanks for reply
i can't follow you. why should routing or antispoofing-settings in cp
be changed, if i only insert a ' content:"hello"; ' in one rule. (see below)
and without this the action resp:rst_all; is o.k. and disconnects
On Mon, Apr 25, 2005 at 09:03:01AM -0600, John C. Silvia wrote:
> Remember that the tcp resets generated by flexresp go out via the
> default route or whatever route is more appropriate.
> This is very limiting, but can still be useful. For starters, this
> means that if you have a snort setup with two interfaces - one with IP
> for management and one without for sniffing, then your detector will be
> sending out the resets on the TCP interface.
> If you're huddling IDS's behind a Check Point firewall for instance, and
> you have a dedicated DMZ for the IDS's, then you must disable address
> spoofing on that interface of the check point (and deal with the griping
> and consequences) in order for FlexResp to work.
> Snortsam is a better choice since it'll block at the router or firewall,
> and you don't have to turn off any anti-spoofing. Inline is perhaps the
> best method, but carries too many risks as it can become a point of failure.
> hans wrote:
> >hi all
> >i tried the experimental feature '--enable-flexresp' for
> >compiling snort 2.3.3 on solaris 9 ( both sparc and intel plattform )
> >the first tests did run well, the following rule did
> >disconnect an incomming connection immediate:
> >alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; resp:rst_all; )
> >the next step was to modify this rule sligthly. the disconnect should
> >only appear, if the word "hello" was seen, with this rule:
> >alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; content:"hello";
> >resp:rst_all; )
> >i telnet to port 25, key in "hello" ( knowing it's not a smtp-dialog )
> >and nothing happens. i get a logentry, so the rule is involved
> >if the word "hello" is seen, but no disconnect.
> >i searched a lot of time around the internet, but could find
> >any advice, what the problem could be.
> >every advice would be helpfully.
> >just disconnecting any incomming connection could be the idea, a
> >tcpwrapper could this job too.
> >best regards
> John C. Silvia
> VP Information Systems & CTO
> Cadamier Internet Security Corporation
> john at ...13282...
> 303-249-3204 cell
> 720-898-4872 office
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users