FW: Flex Response on Win32 - MY BAD?

["Beech, Martin" <Martin.Beech () POLK CO UK>]

What I forget to mention was that the FTP server was running on the SNORT
machine, and that the FTP client was on my SYSLOG server (two machines, on
my desk that are "safe" to play around with), to which SNORT forwards
alerts. 

If I use another machine to connect to the FTP server and try to get a file
named "passwd" the connection is dropped as expected.

Presumably, the sending of the syslog message negates the ICMP* messages -
i.e. both machines know they can reach other, cos they just sent/recv a
syslog message. But what about the closing down of the FTP port?

Martin

>  -----Original Message-----
> From:         Beech, Martin  
> Sent: 16 July 2002 12:58
> To:   'snort-users () lists sourceforge net'
> Subject:      Flex Response on Win32
>
> Hi there,
>
> New to snort. Trying to get it to kill connections under certain
> conditions and getting no joy. I'm using:
>
> SNORT Version 1.8.7beta5-ODBC-FlexRESP-WIN32 (Build 128)
> LIBNETNT.DLL (binary 1.0.2c) Downloaded from securitybugware.org today
> WPCAP 2.3
> W2K SP2
>
> I've tried the various libnetnt.dll's around, including the one with the
> distribution of Snort I installed. These either GPF'd or "PacketSendPacket
> fail"ed on me. The one I'm using from securitybugware does not produce
> errors, but it does not kill the connections either. The rule I'm testing
> under is 
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval
> attempt"; flags:A+; content:"RETR"; nocase; content:"passwd"; resp:
> rst_all,icmp_all; reference:arachnids,213;
> classtype:suspicious-filename-detect; sid:356;  rev:4;)
>
> Am I doing something dumb - does the LIBNETNT.DLL need installing in some
> way, rather than just copying to the snort directory?
>
> Thanks in advance,
>
> Martin


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you are not the intended addressee, you must 
not disclose, copy or take any action in reliance of this transmission.

Although this message and its contents have been scanned for viruses and no 
viruses were detected, no responsibility whatsoever is accepted by the 
Company, or any of its offices or companies for any loss or damage 
arising in any way from receipt or use thereof.

If you have received this email in error please delete this message and
notify the Polk System Administrator at postmaster () polkglobal com.

_____________________________________________________________________
This message has been checked for all known viruses by UUNET delivered 
through the MessageLabs Virus Control Centre. For further information visit
http://www.uk.uu.net/products/security/virus/


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users