[Snort-users] Snort 2.6 working with Snortsam, Redhat and a Cisco ASA

Joel Esler joel.esler at ...1935...
Thu Apr 5 17:25:38 EDT 2007


Or even better.  Compile in inline mode, so that you don't create a "race" condition with flexresp.

(Race == hoping that the RST beats the actual ACK from the attack back to the attacker)

Joel


On Thu, Apr 05, 2007 at 05:16:47PM -0400, it looks like Paul Melson sent me:
> On 4/5/07, Lang, Robert <Robert.Lang at ...13183...> wrote:
> > Has anyone had any luck getting rule blocking working with Snortsam and
> > a Cisco ASA?  It works like a charm with our Watchguard Firewall, but
> > with our PIX/ASA I always get a message that says "Error: [pix] Did not
> > receive a response waiting for logon prompt from PIX at x.x.x.x".
> 
> Using telnet to manage firewalls?  Tsk-tsk.  :-)
> 
> The problem is either that:
> 
> 1) Cisco routers and firewalls by default skip the standard "login:"
> prompt most telnet servers offer up and go right to "Password:"  Use
> the 'pix' directive in your snortsam conf file instead:
> 
> pix 10.0.0.1 [telnetpass] [enablesecret] [config]
> 
> 2) You *are* using the pix directive and you have AAA user
> authentication turned on on the PIX and it *is* generating a "login:"
> prompt.  Use:
> 
> pix 10.0.0.1 [user]/[password] [enablesecret] [config]
> 
> 
> Seriously, though, I would consider building Snort with flexresp and
> modifying those rules that pertain to you to fire off ICMP type 3 or
> TCP RST packets that will cause whatever firewall to drop the
> connection.  Then you can turn telnet off. :-)
> 
> PaulM
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 



+---------------------------------------------------------------------+
Joel Esler                                          Security Consultant
         gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+




More information about the Snort-users mailing list