[Snort-users] Snort tcp reset

Daniele Gallarato daniele.gallarato at ...11827...
Fri May 4 10:00:48 EDT 2012


I've installed snort version onto an ubuntu server
(2.6.32-41-server #88-Ubuntu SMP).

I've followed this good guide:


All seems to work properly.

Only thing that doesn't work is flexresp3.

In an old installation (2.4.3) with old flexresp, resets work.

In this new installation, I've compiled snort with:

./configure --prefix=/usr/local/snort --enable-sourcefire
--enable-active-response --enable-flexresp3
make install

and written some local.rules (they work) and some reset.rules (they hit the
rule, appear in reports, but doesn't reset).

Rule is:

alert tcp <my_ip> any -> $HOME_NET 3389 (resp: rst_all; msg:"Reset Sessioni
Remote Desktop" ; sid:200004;)

I've also checked packets with wireshark, I can't see any reset.

Any help will be appreciated.

Daniele Gallarato
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120504/38db5884/attachment.html>

More information about the Snort-users mailing list