Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Flexresp problems

from [Zakai Kinan] Network Security [Permanent Link]
Subject: Re: [Snort-users] Flexresp problems
Date: Fri, 22 Feb 2008 08:52:13 -0800 (PST) 
Are you saying that I should use --enable-flexresp
instead of --enable-flexresp2?  --enable-flexresp2
does not work for me with my configure options used. 
Some clarification would be helpful.

Thanks,

ZK

--- Todd Wease <twease@sourcefire.com> wrote:


Rob,

I just tested this and it seems to work fine with
the 2.8.0.1 tarball on
the snort.org site.  Can you post the command line
you used to configure
Snort?  The configure line I used was:

$ ./configure --enable-pthread
--enable-linux-smp-stats
--enable-dynamicplugin --enable-sourcefire
--enable-gre
--enable-targetbased --enable-flexresp

The rule I used was:

alert tcp $HOME_NET any -> 192.168.0.2 80 (msg:"You
bastard";
flow:to_server,established; content:"cmd.exe";
nocase;
classtype:policy-violation; sid:100000001; rev:8;
react:block;)

The snort.conf I used was the default one with the
above rule added at
the end of the file.

The snort command line I used was (running from top
level of source tree):

$ sudo ./src/snort -c ./etc/snort.conf.work -k none
-A cmg -i eth0

When I tried to use the url
"http://192.168.0.2/cmd.exe";, I got an alert
as well as the flexresp react block page sent to my
browser.

Also tried the resp rule:

alert tcp $HOME_NET any -> 192.168.0.2 80 (msg:"You
bastard";
flow:to_server,established; content:"cmd.exe";
nocase;
classtype:policy-violation; sid:100000001; rev:8;
resp:rst_snd;)

and I get a message sent to my browser that the
connection was reset.

This was not tested on a Cent OS 5 machine, but a
Fedora Core 8 intel.
I downloaded libnet-1.0.2a.tar.gz and just did the
normal './configure
&& make && sudo make install'.

Thanks,
Todd


Ward, Rob wrote:

I've installed with Flexresp and when I try to add

react:block; to a rule I get the message below, any
ideas please anyone?


FATAL ERROR: Warning:

/etc/snort/rules/local.rules(1) => Unknown keyword '
react' in rule!


The rule syntax looks OK to me and I've used this

before without a problem. I'm running snort 2.8.0.1
on Cent OS 5.


The rule looks like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET 8888

(msg:"P2P napster login";
flow:to_server,established; content:"|00 02 00|";
depth:3; offset:1; classtype:policy-violation;
sid:549; rev:8; react:block;)



Also with Flexresp in which file do you put your

variables i.e:


# just stop the offender
    var RESP_TCP resp:rst_snd;

I get the same error when I put this in snort.conf

and replace react:block; with $RESP_TCP in my rules.
I also get the same error with resp:rst_snd; in the
rules.


Any help would be appreciated, thanks!

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department





-------------------------------------------------------------------------

This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio

2008.





http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or

unsubscribe:





https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:




http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------------------------

This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio
2008.


http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users






      
____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Bare byte alerts but no non-ASCII characters!, Todd Wease
Next by Date:  Re: [Snort-users] Flexresp problems, Todd Wease
Previous by Thread:  Re: [Snort-users] Flexresp problems, Ward, Rob
Next by Thread:  Re: [Snort-users] Flexresp problems, Todd Wease
Indexes:  [Date] [Thread] [Top] [All Lists]