[Snort-users] Error on new Rule

Ron Jenkins rjenkins at ...12829...
Wed Mar 16 06:39:28 EST 2005


Does Snort's FlexResp have an option to work with UDP?

Thanks...

-----Original Message-----
From: Joel Esler [mailto:eslerj at ...11827...] 
Sent: Wednesday, March 16, 2005 8:35 AM
To: Ron Jenkins
Subject: Re: [Snort-users] Error on new Rule

Ron,

Flexresp works by sending a RST 'flagged' packet in the middle of a 
conversation to abruptly terminate a conversation in the middle of it.  
(if you need more explanation i will be glad to help), since udp does 
not have packet flags, this is impossible.


Joel Esler
BASE Project Lead
http://secureideas.sourceforge.net


On Mar 16, 2005, at 09:12, Ron Jenkins wrote:

> On the below new rule, I added the react:block for the FlexResp 
> feature of snort. 
>
>   
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito 
> Search Query"; content:"|01 02 00 14|"; offset:16; depth:4; 
> reference:url,www.blubster.com; 
> reference:url,openlito.sourceforge.net; react:block; 
> classtype:policy-violation; sid:3459; rev:2;)
>
>  
>
> I get the below error:
>
>  
>
> ERROR: Line /etc/snort/local.rules(28): TCP Options on non-TCP rule
>
> Fatal Error, Quitting..
>
>  
>
> Does FlexResp only work on TCP rules and not UDP?
>
>  
>
> Thanks...
>
>  
>
>  
>
> Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA)
>  Senior Architect
> Data Integrity, LLC
>  "We Integrate People with Solutions"
> 1724 Dallas Drive
>  Suite 11
> Baton Rouge, La 70806
>  Office. 225.927.8030
>  Fax. 225.927.8033
>  Cell225.931.1632
>  Email. rjenkins at ...12829...
>  Web. www.dibr.net
>
>   





More information about the Snort-users mailing list