hi John
thanks for reply
i can't follow you. why should routing or antispoofing-settings in cp
be changed, if i only insert a ' content:"hello"; ' in one rule. (see below)
and without this the action resp:rst_all; is o.k. and disconnects
this connection.
best regards
hans
--
On Mon, Apr 25, 2005 at 09:03:01AM -0600, John C. Silvia wrote:
Remember that the tcp resets generated by flexresp go out via the
default route or whatever route is more appropriate.
This is very limiting, but can still be useful. For starters, this
means that if you have a snort setup with two interfaces - one with IP
for management and one without for sniffing, then your detector will be
sending out the resets on the TCP interface.
If you're huddling IDS's behind a Check Point firewall for instance, and
you have a dedicated DMZ for the IDS's, then you must disable address
spoofing on that interface of the check point (and deal with the griping
and consequences) in order for FlexResp to work.
Snortsam is a better choice since it'll block at the router or firewall,
and you don't have to turn off any anti-spoofing. Inline is perhaps the
best method, but carries too many risks as it can become a point of failure.
hans wrote:
hi all
i tried the experimental feature '--enable-flexresp' for
compiling snort 2.3.3 on solaris 9 ( both sparc and intel plattform )
the first tests did run well, the following rule did
disconnect an incomming connection immediate:
alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; resp:rst_all; )
the next step was to modify this rule sligthly. the disconnect should
only appear, if the word "hello" was seen, with this rule:
alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; content:"hello";
resp:rst_all; )
i telnet to port 25, key in "hello" ( knowing it's not a smtp-dialog )
and nothing happens. i get a logentry, so the rule is involved
if the word "hello" is seen, but no disconnect.
i searched a lot of time around the internet, but could find
any advice, what the problem could be.
every advice would be helpfully.
just disconnecting any incomming connection could be the idea, a
tcpwrapper could this job too.
best regards
hans
--
John C. Silvia
VP Information Systems & CTO
Cadamier Internet Security Corporation
http://www.cadamier.com
john@cadamier.com
303-249-3204 cell
720-898-4872 office
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
SF.Net email is sponsored by: Tell us your software development plans!
Take this survey and enter to win a one-year sub to SourceForge.net
Plus IDC's 2005 look-ahead and a copy of this survey
Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
