[Snort-users] Snort tcp reset

Daniele Gallarato daniele.gallarato at ...11827...
Tue May 8 04:37:38 EDT 2012


Sorry.

Anyone can address me to a documentation about tcp reset with flexresp3?

Thanks
Daniele


2012/5/4 Daniele Gallarato <daniele.gallarato at ...11827...>

> Yes.
>
> I don't understand well the difference between flexresp3 (previously I've
> used flexresp1, so I've tried to use flexresp3), and active-response.
>
> If I configure
>
> config response: device eth0 attempts 2
>
>
> when snort hit a reset rule, it flood the network and I can't reach it
> anymore...
>
> Thanks
>
>
> * Flexresp3 is new: the resp rule option keyword is used to configure
> active
>   responses for rules that fire.
>
>     ./configure --enable-flexresp3
>
>     alert tcp any any -> any 80 (content:"a"; resp:<resp_t>; sid:1;)
>
> * resp_t includes all flexresp and flexresp2 options:
>
>     <resp_t> ::= \
>         rst_snd | rst_rcv | rst_all | \
>         reset_source | reset_dest | reset_both | icmp_net | \
>         icmp_host | icmp_port | icmp_all
>
> See README.flexresp3 for more.
>
>
>
> 2012/5/4 Russ Combs <rcombs at ...1935...>
>
>> Did you check README.active?
>>
>> On Fri, May 4, 2012 at 10:00 AM, Daniele Gallarato <
>> daniele.gallarato at ...11827...> wrote:
>>
>>> Hello.
>>>
>>> I've installed snort version 2.9.2.2 onto an ubuntu server
>>> (2.6.32-41-server #88-Ubuntu SMP).
>>>
>>> I've followed this good guide:
>>>
>>>
>>> http://www.google.it/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CHsQFjAB&url=http%3A%2F%2Fwww.snort.org%2Fassets%2F158%2F014-snortinstallguide292.pdf&ei=zd-jT5vCBPTa4QSl0rifCQ&usg=AFQjCNGaL8nB1vZPRodUBX6IQluwufpbFQ&sig2=FqFj5w3hOXP1NBcn3gbxoQ
>>>
>>> All seems to work properly.
>>>
>>> Only thing that doesn't work is flexresp3.
>>>
>>> In an old installation (2.4.3) with old flexresp, resets work.
>>>
>>> In this new installation, I've compiled snort with:
>>>
>>> ./configure --prefix=/usr/local/snort --enable-sourcefire
>>> --enable-active-response --enable-flexresp3
>>> make
>>> make install
>>>
>>> and written some local.rules (they work) and some reset.rules (they hit
>>> the rule, appear in reports, but doesn't reset).
>>>
>>> Rule is:
>>>
>>> alert tcp <my_ip> any -> $HOME_NET 3389 (resp: rst_all; msg:"Reset
>>> Sessioni Remote Desktop" ; sid:200004;)
>>>
>>> I've also checked packets with wireshark, I can't see any reset.
>>>
>>> Any help will be appreciated.
>>>
>>> Thanks
>>> Daniele Gallarato
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond. Discussions
>>> will include endpoint security, mobile security and the latest in malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120508/e1bbcb5d/attachment.html>


More information about the Snort-users mailing list