[Snort-users] Snort tcp reset

Russ Combs rcombs at ...1935...
Fri May 4 10:40:50 EDT 2012


Did you check README.active?

On Fri, May 4, 2012 at 10:00 AM, Daniele Gallarato <
daniele.gallarato at ...11827...> wrote:

> Hello.
>
> I've installed snort version 2.9.2.2 onto an ubuntu server
> (2.6.32-41-server #88-Ubuntu SMP).
>
> I've followed this good guide:
>
>
> http://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CHsQFjAB&url=http%3A%2F%2Fwww.snort.org%2Fassets%2F158%2F014-snortinstallguide292.pdf&ei=zd-jT5vCBPTa4QSl0rifCQ&usg=AFQjCNGaL8nB1vZPRodUBX6IQluwufpbFQ&sig2=FqFj5w3hOXP1NBcn3gbxoQ
>
> All seems to work properly.
>
> Only thing that doesn't work is flexresp3.
>
> In an old installation (2.4.3) with old flexresp, resets work.
>
> In this new installation, I've compiled snort with:
>
> ./configure --prefix=/usr/local/snort --enable-sourcefire
> --enable-active-response --enable-flexresp3
> make
> make install
>
> and written some local.rules (they work) and some reset.rules (they hit
> the rule, appear in reports, but doesn't reset).
>
> Rule is:
>
> alert tcp <my_ip> any -> $HOME_NET 3389 (resp: rst_all; msg:"Reset
> Sessioni Remote Desktop" ; sid:200004;)
>
> I've also checked packets with wireshark, I can't see any reset.
>
> Any help will be appreciated.
>
> Thanks
> Daniele Gallarato
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120504/3cada967/attachment.html>


More information about the Snort-users mailing list