[Snort-users] Snort tcp reset

Daniele Gallarato daniele.gallarato at ...11827...
Fri May 4 10:00:48 EDT 2012


Hello.

I've installed snort version 2.9.2.2 onto an ubuntu server
(2.6.32-41-server #88-Ubuntu SMP).

I've followed this good guide:

http://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CHsQFjAB&url=http%3A%2F%2Fwww.snort.org%2Fassets%2F158%2F014-snortinstallguide292.pdf&ei=zd-jT5vCBPTa4QSl0rifCQ&usg=AFQjCNGaL8nB1vZPRodUBX6IQluwufpbFQ&sig2=FqFj5w3hOXP1NBcn3gbxoQ

All seems to work properly.

Only thing that doesn't work is flexresp3.

In an old installation (2.4.3) with old flexresp, resets work.

In this new installation, I've compiled snort with:

./configure --prefix=/usr/local/snort --enable-sourcefire
--enable-active-response --enable-flexresp3
make
make install

and written some local.rules (they work) and some reset.rules (they hit the
rule, appear in reports, but doesn't reset).

Rule is:

alert tcp <my_ip> any -> $HOME_NET 3389 (resp: rst_all; msg:"Reset Sessioni
Remote Desktop" ; sid:200004;)

I've also checked packets with wireshark, I can't see any reset.

Any help will be appreciated.

Thanks
Daniele Gallarato
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120504/38db5884/attachment.html>


More information about the Snort-users mailing list