[Snort-users] Error on new Rule

Kendall Risselada krisselada at ...1150...
Wed Mar 16 06:44:58 EST 2005


As udp protocol is stateless, I don't know how this would be implemented

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ron Jenkins
Sent: Wednesday, March 16, 2005 6:33 AM
To: Joel Esler
Cc: snort-users
Subject: RE: [Snort-users] Error on new Rule


Does Snort's FlexResp have an option to work with UDP?

Thanks...

-----Original Message-----
From: Joel Esler [mailto:eslerj at ...11827...] 
Sent: Wednesday, March 16, 2005 8:35 AM
To: Ron Jenkins
Subject: Re: [Snort-users] Error on new Rule

Ron,

Flexresp works by sending a RST 'flagged' packet in the middle of a 
conversation to abruptly terminate a conversation in the middle of it.  
(if you need more explanation i will be glad to help), since udp does 
not have packet flags, this is impossible.


Joel Esler
BASE Project Lead
http://secureideas.sourceforge.net


On Mar 16, 2005, at 09:12, Ron Jenkins wrote:

> On the below new rule, I added the react:block for the FlexResp
> feature of snort. 
>
>   
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito
> Search Query"; content:"|01 02 00 14|"; offset:16; depth:4; 
> reference:url,www.blubster.com; 
> reference:url,openlito.sourceforge.net; react:block; 
> classtype:policy-violation; sid:3459; rev:2;)
>
>  
>
> I get the below error:
>
>  
>
> ERROR: Line /etc/snort/local.rules(28): TCP Options on non-TCP rule
>
> Fatal Error, Quitting..
>
>  
>
> Does FlexResp only work on TCP rules and not UDP?
>
>  
>
> Thanks...
>
>  
>
>  
>
> Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA)
>  Senior Architect
> Data Integrity, LLC
>  "We Integrate People with Solutions"
> 1724 Dallas Drive
>  Suite 11
> Baton Rouge, La 70806
>  Office. 225.927.8030
>  Fax. 225.927.8033
>  Cell225.931.1632
>  Email. rjenkins at ...12829...
>  Web. www.dibr.net
>
>   



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=ick
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





More information about the Snort-users mailing list