> on winnt 4.0 running running Snort_flexresp_181 from silicon defense.
>
> NOTE: I have tried ; in the vars (like readme.flexresp states) same problem
>
> Vars in Config file
> -----------------
> # just stop the offender
> var RESP_TCP resp:rst_snd
>
> # also kill a possible local counterpart
> var RESP_TCP_URG resp:rst_all
>
> under web-iis.rules tried
> -------------------------
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
> access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
> sid:1002; rev:1; $RESP_TCP;)
> - Dr. Watson
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
> access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
> sid:1002; rev:1; $RESP_TCP_URG;)
> - Dr. Watson
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
> access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
> sid:1002; rev:1; resp:rst_all;)
> - Dr. Watson
>
> But when I used the React instead of the Response
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe
> access"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;
> sid:1002; rev:1; react:block;)
>
> No Crash, and also no log entries in snort.log...
> I am assuming this is a good thing, and snort is blocking the trafic
>
> Any comments ;)
I have snort 1.8.1 running with flexresp on Linux and OpenBSD.
I get the same behavior that you describe happening for NT,
RESP works but REACT does not. When I tested them by setting up
a rule that I could trigger myself, the REACT rule just made
snort mute but it did not stop my connection, so it does not
appear to work.
--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skip@...
1340 Munras Ave., Suite 314 UUCP: ...!uunet!taygeta!skip
Monterey, CA. 93940 WWW: http://www.taygeta.com/skip.html
|
