Rob,
I just tested this and it seems to work fine with the 2.8.0.1 tarball on
the snort.org site. Can you post the command line you used to configure
Snort? The configure line I used was:
$ ./configure --enable-pthread --enable-linux-smp-stats
--enable-dynamicplugin --enable-sourcefire --enable-gre
--enable-targetbased --enable-flexresp
The rule I used was:
alert tcp $HOME_NET any -> 192.168.0.2 80 (msg:"You bastard";
flow:to_server,established; content:"cmd.exe"; nocase;
classtype:policy-violation; sid:100000001; rev:8; react:block;)
The snort.conf I used was the default one with the above rule added at
the end of the file.
The snort command line I used was (running from top level of source tree):
$ sudo ./src/snort -c ./etc/snort.conf.work -k none -A cmg -i eth0
When I tried to use the url "http://192.168.0.2/cmd.exe";, I got an alert
as well as the flexresp react block page sent to my browser.
Also tried the resp rule:
alert tcp $HOME_NET any -> 192.168.0.2 80 (msg:"You bastard";
flow:to_server,established; content:"cmd.exe"; nocase;
classtype:policy-violation; sid:100000001; rev:8; resp:rst_snd;)
and I get a message sent to my browser that the connection was reset.
This was not tested on a Cent OS 5 machine, but a Fedora Core 8 intel.
I downloaded libnet-1.0.2a.tar.gz and just did the normal './configure
&& make && sudo make install'.
Thanks,
Todd
Ward, Rob wrote:
I've installed with Flexresp and when I try to add react:block; to a rule I
get the message below, any ideas please anyone?
FATAL ERROR: Warning: /etc/snort/rules/local.rules(1) => Unknown keyword '
react' in rule!
The rule syntax looks OK to me and I've used this before without a problem.
I'm running snort 2.8.0.1 on Cent OS 5.
The rule looks like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login";
flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1;
classtype:policy-violation; sid:549; rev:8; react:block;)
Also with Flexresp in which file do you put your variables i.e:
# just stop the offender
var RESP_TCP resp:rst_snd;
I get the same error when I put this in snort.conf and replace react:block;
with $RESP_TCP in my rules. I also get the same error with resp:rst_snd; in
the rules.
Any help would be appreciated, thanks!
Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
