Snort mailing list archives

Re: Snort+flexresp

From: "Onie Camara" <neil () restricted dyndns org>
Date: Mon, 1 Apr 2002 16:48:07 -0600

Hi Jeff,

Here is the dump of snort's successful tearing of my ftp session:

http://restricted.dyndns.org/tcpdump1.txt


And I tried it again, same workstation but this time, snort didn't do
anything.

http://restricted.dyndns.org/tcpdump2.txt


But if I am going to stop and start snort again, it will successfully RESET
my connection.

Here is my rule in local.rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP Anonymous";resp:
rst_all; flags: A+; content:"anonymous"; nocase;)


Thanks.

Neil


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snort+flexresp Jeff Nathan (Apr 02)
- Re: Snort+flexresp Onie Camara (Apr 02)
  - Re: Snort+flexresp Jeff Nathan (Apr 02)
    - Re: Snort+flexresp Anton A. Chuvakin (Apr 02)
    - Re: Snort+flexresp Onie Camara (Apr 02)