RE: Resp and React keywords don't work?

["Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>]

I appreciate your help Erek. 

Here's what I've done so far. I killed all running Snort processes. I
downloaded Libnet.tar.gz (current, stable version) and it appeared to
compile fine.

I reran ./configure --enable-flexresp from the snort-1.8.4 directory and all
worked fine. Then I ran make and make install again and those appeared to
run fine as well.

The rule I created is:
# alert tcp any any -> $HOME_NET 80 (msg:"Backup access prohibited!";
uricontent: "/backup"; resp:rst_all;)

Then I executed Snort using:
/usr/local/bin/snort -A fast -c /etc/snort/test.conf -i eth0 -l /test -o -N
-b -L testtraces

Here is what was returned by Snort:
Log directory = /test

Initializing Network Interface eth0
Kernel filter, protocol ALL, raw packet socket

        --== Initializing Snort ==--
Rule application order changed to Pass->Alert->Log
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /etc/snort/test.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
Stream4 config:
    Stateful inspection: ACTIVE
    Session statistics: INACTIVE
    Session timeout: 30 seconds
    Session memory cap: 8388608 bytes
    State alerts: INACTIVE
    Scan alerts: ACTIVE
    Log Flushed Streams: INACTIVE
No arguments to stream4_reassemble, setting defaults:
     Reassemble client: ACTIVE
     Reassemble server: INACTIVE
     Reassemble ports: 21 23 25 53 80 143 110 111 513
     Reassembly alerts: ACTIVE
     Reassembly method: FAVOR_OLD
Back Orifice detection brute force: DISABLED

ERROR: /etc/snort/test.rules(10) => Unknown keyword "resp" in rule!
Fatal Error, Quitting..

I just downloaded "snort-plain+flexresp-1.8.4-1snort.i386.rpm" and tried to
install that for the heck of it. It said it needed Snort1.8.4 and quit (even
though Snort 1.8.4 is already installed!). Boy, I'm having a bad day! Any
ideas?

Thanks again!

Paul Sheahan
Manager of Information Security
Priceline.com
paul.sheahan () priceline com



-----Original Message-----
From: Erek Adams [mailto:erek () theadamsfamily net]
Sent: Thursday, March 28, 2002 12:58 PM
To: Sheahan, Paul (PCLN-NW)
Subject: RE: Resp and React keywords don't work?


On Thu, 28 Mar 2002, Sheahan, Paul (PCLN-NW) wrote:

> Thanks Erek. I'm not a wiz at this but what I did was extract
> snort-1.8.4.tar.gz to a directory, then switched to that directory and did
> ./configure --enable-flexresp, then make, then make install. All went
fine.
> Then I tried running snort where the conf file points to a test rule file
> containing a rule with the resp option. Still stays resp is unknown.

First make sure libnet is on the box.  Second, what's the rule that you are
using?

> Maybe I should try the RPM instead?

*shrug*  I'm not a RPM fan, so my ideas would be biased.  :)

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users