Re: [Snort-users] Flexresp problems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Be aware that flexresp1 will not reliably tear down a connection.

- -Jeff

On Feb 24, 2008, at 6:43 PM, Zakai Kinan wrote:

> Where are the configuration options for flexresp
> version 1?  I can't find them.
>
>
> TIA,
>
> ZK
>
>
> --- Todd Wease <twease@sourcefire.com> wrote:
>
> > flexresp2 is broken in Snort 2.8.0 because of the
> > inclusion of IPv6
> > support in Snort - there are conflicting types in
> > the Snort code and
> > libdnet.  This should be fixed in the 2.8.1 release
> > (not sure on the
> > date yet for this release).  Use the original
> > flexresp
> > (--enable-flexresp) if you want to block requests or
> > send resets.
> >
> >
> > Zakai Kinan wrote:
> > > Are you saying that I should use --enable-flexresp
> > > instead of --enable-flexresp2?  --enable-flexresp2
> > > does not work for me with my configure options
> > used.
> > > Some clarification would be helpful.
> > >
> > > Thanks,
> > >
> > > ZK
> > >
> > > --- Todd Wease <twease@sourcefire.com> wrote:
> > >
> > > > Rob,
> > > >
> > > > I just tested this and it seems to work fine with
> > > > the 2.8.0.1 tarball on
> > > > the snort.org site.  Can you post the command
> > line
> > > > you used to configure
> > > > Snort?  The configure line I used was:
> > > >
> > > > $ ./configure --enable-pthread
> > > > --enable-linux-smp-stats
> > > > --enable-dynamicplugin --enable-sourcefire
> > > > --enable-gre
> > > > --enable-targetbased --enable-flexresp
> > > >
> > > > The rule I used was:
> > > >
> > > > alert tcp $HOME_NET any -> 192.168.0.2 80
> > (msg:"You
> > > > bastard";
> > > > flow:to_server,established; content:"cmd.exe";
> > > > nocase;
> > > > classtype:policy-violation; sid:100000001; rev:8;
> > > > react:block;)
> > > >
> > > > The snort.conf I used was the default one with
> > the
> > > > above rule added at
> > > > the end of the file.
> > > >
> > > > The snort command line I used was (running from
> > top
> > > > level of source tree):
> > > >
> > > > $ sudo ./src/snort -c ./etc/snort.conf.work -k
> > none
> > > > -A cmg -i eth0
> > > >
> > > > When I tried to use the url
> > > > "http://192.168.0.2/cmd.exe";, I got an alert
> > > > as well as the flexresp react block page sent to
> > my
> > > > browser.
> > > >
> > > > Also tried the resp rule:
> > > >
> > > > alert tcp $HOME_NET any -> 192.168.0.2 80
> > (msg:"You
> > > > bastard";
> > > > flow:to_server,established; content:"cmd.exe";
> > > > nocase;
> > > > classtype:policy-violation; sid:100000001; rev:8;
> > > > resp:rst_snd;)
> > > >
> > > > and I get a message sent to my browser that the
> > > > connection was reset.
> > > >
> > > > This was not tested on a Cent OS 5 machine, but a
> > > > Fedora Core 8 intel.
> > > > I downloaded libnet-1.0.2a.tar.gz and just did
> > the
> > > > normal './configure
> > > > && make && sudo make install'.
> > > >
> > > > Thanks,
> > > > Todd
> > > >
> > > >
> > > > Ward, Rob wrote:
> > > > > I've installed with Flexresp and when I try to
> > add
> > > > react:block; to a rule I get the message below,
> > any
> > > > ideas please anyone?
> > > > > FATAL ERROR: Warning:
> > > > /etc/snort/rules/local.rules(1) => Unknown
> > keyword '
> > > > react' in rule!
> > > > > The rule syntax looks OK to me and I've used
> > this
> > > > before without a problem. I'm running snort
> > 2.8.0.1
> > > > on Cent OS 5.
> > > > > The rule looks like this:
> > > > >
> > > > > alert tcp $HOME_NET any -> $EXTERNAL_NET 8888
> > > > (msg:"P2P napster login";
> > > > flow:to_server,established; content:"|00 02 00|";
> > > > depth:3; offset:1; classtype:policy-violation;
> > > > sid:549; rev:8; react:block;)
> > > > > Also with Flexresp in which file do you put your
> > > > variables i.e:
> > > > > # just stop the offender
> > > > >     var RESP_TCP resp:rst_snd;
> > > > >
> > > > > I get the same error when I put this in
> > snort.conf
> > > > and replace react:block; with $RESP_TCP in my
> > rules.
> > > > I also get the same error with resp:rst_snd; in
> > the
> > > > rules.
> > > > > Any help would be appreciated, thanks!
> > > > >
> > > > > Rob Ward
> > > > > Network Northwest Support
> > > > > University of Liverpool
> > > > > Computing Services Department
> ---------------------------------------------------------------------- 
> ---
> > > > > This SF.net email is sponsored by: Microsoft
> > > > > Defy all challenges. Microsoft(R) Visual Studio
> > > > 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users@lists.sourceforge.net
> > > > > Go to this URL to change user options or
> > > > unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> ---------------------------------------------------------------------- 
> ---
> > > > This SF.net email is sponsored by: Microsoft
> > > > Defy all challenges. Microsoft(R) Visual Studio
> > > > 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users@lists.sourceforge.net
> > > > Go to this URL to change user options or
> > > > unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> ______________________________________________________________________ 
> ______________
> > > Be a better friend, newshound, and
> > > know-it-all with Yahoo! Mobile.  Try it now.
> http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > >
> ---------------------------------------------------------------------- 
> ---
> > > This SF.net email is sponsored by: Microsoft
> > > Defy all challenges. Microsoft(R) Visual Studio
> > 2008.
> > >
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users@lists.sourceforge.net
> > > Go to this URL to change user options or
> > unsubscribe:
> > >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> >
> === message truncated ===
>
>
>
>        
> ______________________________________________________________________ 
> ______________
> Looking for last minute shopping deals?
> Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/ 
> newsearch/category.php?category=shopping
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


- --
http://cerberus.sourcefire.com/~jeff       (DSA key id 6923D3FD)
"I want to know God's thoughts... the rest are details."   - Albert  
Einstein


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFHwtqTEqr8+Gkj0/0RAvYsAKCV1iN+AUL03T7SW6xS9BYdh2I3+wCfZRNh
8n8wwO+XCAIoLaDlMTbgikc=
=+tdt
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users