[Snort-users] Snort tcp reset
daniele.gallarato at ...11827...
Fri May 4 10:58:43 EDT 2012
I don't understand well the difference between flexresp3 (previously I've
used flexresp1, so I've tried to use flexresp3), and active-response.
If I configure
config response: device eth0 attempts 2
when snort hit a reset rule, it flood the network and I can't reach it
* Flexresp3 is new: the resp rule option keyword is used to configure active
responses for rules that fire.
alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)
* resp_t includes all flexresp and flexresp2 options:
<resp_t> ::= \
rst_snd | rst_rcv | rst_all | \
reset_source | reset_dest | reset_both | icmp_net | \
icmp_host | icmp_port | icmp_all
See README.flexresp3 for more.
2012/5/4 Russ Combs <rcombs at ...1935...>
> Did you check README.active?
> On Fri, May 4, 2012 at 10:00 AM, Daniele Gallarato <
> daniele.gallarato at ...11827...> wrote:
>> I've installed snort version 18.104.22.168 onto an ubuntu server
>> (2.6.32-41-server #88-Ubuntu SMP).
>> I've followed this good guide:
>> All seems to work properly.
>> Only thing that doesn't work is flexresp3.
>> In an old installation (2.4.3) with old flexresp, resets work.
>> In this new installation, I've compiled snort with:
>> ./configure --prefix=/usr/local/snort --enable-sourcefire
>> --enable-active-response --enable-flexresp3
>> make install
>> and written some local.rules (they work) and some reset.rules (they hit
>> the rule, appear in reports, but doesn't reset).
>> Rule is:
>> alert tcp <my_ip> any -> $HOME_NET 3389 (resp: rst_all; msg:"Reset
>> Sessioni Remote Desktop" ; sid:200004;)
>> I've also checked packets with wireshark, I can't see any reset.
>> Any help will be appreciated.
>> Daniele Gallarato
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users