| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] Flexresp problems
From: Zakai Kinan <titanyen2000_at_nospam>Date: Sun Feb 24 2008 - 23:43:12 GMT
To: Todd Wease <twease@sourcefire.com>
Where are the configuration options for flexresp
version 1? I can't find them.
TIA, ZK
- Todd Wease <twease@sourcefire.com> wrote:
> flexresp2 is broken in Snort 2.8.0 because of the
> inclusion of IPv6
> support in Snort - there are conflicting types in
> the Snort code and
> libdnet. This should be fixed in the 2.8.1 release
> (not sure on the
> date yet for this release). Use the original
> flexresp
> (--enable-flexresp) if you want to block requests or
> send resets.
>
>
> Zakai Kinan wrote:
> > Are you saying that I should use --enable-flexresp
> > instead of --enable-flexresp2? --enable-flexresp2
> > does not work for me with my configure options
> used.
> > Some clarification would be helpful.
> >
> > Thanks,
> >
> > ZK
> >
> > --- Todd Wease <twease@sourcefire.com> wrote:
> >
> >> Rob,
> >>
> >> I just tested this and it seems to work fine with
> >> the 2.8.0.1 tarball on
> >> the snort.org site. Can you post the command
> line
> >> you used to configure
> >> Snort? The configure line I used was:
> >>
> >> $ ./configure --enable-pthread
> >> --enable-linux-smp-stats
> >> --enable-dynamicplugin --enable-sourcefire
> >> --enable-gre
> >> --enable-targetbased --enable-flexresp
> >>
> >> The rule I used was:
> >>
> >> alert tcp $HOME_NET any -> 192.168.0.2 80
> (msg:"You
> >> bastard";
> >> flow:to_server,established; content:"cmd.exe";
> >> nocase;
> >> classtype:policy-violation; sid:100000001; rev:8;
> >> react:block;)
> >>
> >> The snort.conf I used was the default one with
> the
> >> above rule added at
> >> the end of the file.
> >>
> >> The snort command line I used was (running from
> top
> >> level of source tree):
> >>
> >> $ sudo ./src/snort -c ./etc/snort.conf.work -k
> none
> >> -A cmg -i eth0
> >>
> >> When I tried to use the url
> >> "http://192.168.0.2/cmd.exe", I got an alert
> >> as well as the flexresp react block page sent to
> my
> >> browser.
> >>
> >> Also tried the resp rule:
> >>
> >> alert tcp $HOME_NET any -> 192.168.0.2 80
> (msg:"You
> >> bastard";
> >> flow:to_server,established; content:"cmd.exe";
> >> nocase;
> >> classtype:policy-violation; sid:100000001; rev:8;
> >> resp:rst_snd;)
> >>
> >> and I get a message sent to my browser that the
> >> connection was reset.
> >>
> >> This was not tested on a Cent OS 5 machine, but a
> >> Fedora Core 8 intel.
> >> I downloaded libnet-1.0.2a.tar.gz and just did
> the
> >> normal './configure
> >> && make && sudo make install'.
> >>
> >> Thanks,
> >> Todd
> >>
> >>
> >> Ward, Rob wrote:
> >>> I've installed with Flexresp and when I try to
> add
> >> react:block; to a rule I get the message below,
> any
> >> ideas please anyone?
> >>> FATAL ERROR: Warning:
> >> /etc/snort/rules/local.rules(1) => Unknown
> keyword '
> >> react' in rule!
> >>> The rule syntax looks OK to me and I've used
> this
> >> before without a problem. I'm running snort
> 2.8.0.1
> >> on Cent OS 5.
> >>> The rule looks like this:
> >>>
> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET 8888
> >> (msg:"P2P napster login";
> >> flow:to_server,established; content:"|00 02 00|";
> >> depth:3; offset:1; classtype:policy-violation;
> >> sid:549; rev:8; react:block;)
> >>>
> >>> Also with Flexresp in which file do you put your
> >> variables i.e:
> >>> # just stop the offender
> >>> var RESP_TCP resp:rst_snd;
> >>>
> >>> I get the same error when I put this in
> snort.conf
> >> and replace react:block; with $RESP_TCP in my
> rules.
> >> I also get the same error with resp:rst_snd; in
> the
> >> rules.
> >>> Any help would be appreciated, thanks!
> >>>
> >>> Rob Ward
> >>> Network Northwest Support
> >>> University of Liverpool
> >>> Computing Services Department
> >>>
> >>>
> >
>
> >>> This SF.net email is sponsored by: Microsoft
> >>> Defy all challenges. Microsoft(R) Visual Studio
> >> 2008.
> >
>
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users@lists.sourceforge.net
> >>> Go to this URL to change user options or
> >> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> >>> Snort-users list archive:
> >>>
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>
> >
>
> >> This SF.net email is sponsored by: Microsoft
> >> Defy all challenges. Microsoft(R) Visual Studio
> >> 2008.
> >>
> >
>
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users@lists.sourceforge.net
> >> Go to this URL to change user options or
> >> unsubscribe:
> >>
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >>
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
>
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile. Try it now.
>
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
> >
> >
> >
>
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio
> 2008.
> >
>
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
>
=== message truncated ===
Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users