-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pfeito,
I'd like for you to try two things. First, try using only reset_dest
in your rule. Second, can you send me the pcap dump so I can take a
look at it?
The pcap dump I'm interested in will come from the FTP server. I want
to see all the packets from connection establishment to sp_respond2
firing the response packets.
- -Jeff
On Aug 30, 2004, at 7:05 AM, pfeito wrote:
Hi,
I'm currently testing flexresp2. For now I'm just using a simple rule
that
terminates a FTP connection if someone tries to login with user "root".
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP root login
attempt!";
flow:to_server,established; content:"USER"; nocase; content:"root";
distance:1; nocase; pcre:"/^USER\sroot/smi";
classtype:suspicious-login;
sid:1000002; rev:2; resp: reset_both;)
I try to login remotely with user root, but the connection does not
terminate. I sniffed with tcpdump and I know that it the TCP RST
packets are
being sent, but the connection stays up.
Then I tried the same but with both peers on the same LAN, but with
the same
results. The TCP RST packets are being sent also.
I've tcpdump logs if someone is interested in looking into them.
My snort.conf-flexresp2 config
config flexresp2_interface: eth2
config flexresp2_attempts: 10
What could be going wrong?
Thanks in advance,
-pfeito
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net [mailto:snort-users-
admin@lists.sourceforge.net] On Behalf Of Jeff Nathan
Sent: segunda-feira, 26 de Julho de 2004 1:33
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] flexresp2 is back and needs testing
Hi Snortees,
I've got a new version of the flexible response code, sp_respond2,
ready for testing. This new version uses libdnet
(http://libdnet.sourceforge.net) and is significantly faster than all
previous versions. During testing I was able to reset TCP connections
where both the client and server were on the same LAN.
The patch is attached to this message but if you'd like to download
it,
it's also available from
http://cerberus.sourcefire.com/~jeff/archives/snort/sp_respond2/
If you encounter any problems with the attached patch, refer to the
website for an update before sending email.
It's most helpful if you're somewhat experienced with Snort. For the
time being I'd like to avoid tutoring users during testing.
- --
http://cerberus.sourcefire.com/~jeff (gpg/pgp key id 6923D3FD)
"Great spirits have always encountered violent opposition from
mediocre minds." - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBMz1YEqr8+Gkj0/0RAqcCAKCqt6bNBfOHlqOYZIo6TXs0L0qt1gCbBJio
W7X45fODL7UYAHi+PBsCd+k=
=V4id
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
