Snort mailing list archives

Re: Flexresp problems

From: Zakai Kinan <titanyen2000 () yahoo com>
Date: Tue, 19 Feb 2008 09:57:32 -0800 (PST)

did you do --enable-react in the configure?  React
works, but flexresp does not work in that version. 
Use snortsam instead.

ZK

--- "Ward, Rob" <Rob.Ward () liverpool ac uk> wrote:

I've installed with Flexresp and when I try to add
react:block; to a rule I get the message below, any
ideas please anyone?

FATAL ERROR: Warning:
/etc/snort/rules/local.rules(1) => Unknown keyword '
react' in rule!

The rule syntax looks OK to me and I've used this
before without a problem. I'm running snort 2.8.0.1
on Cent OS 5.

The rule looks like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET 8888
(msg:"P2P napster login";
flow:to_server,established; content:"|00 02 00|";
depth:3; offset:1; classtype:policy-violation;
sid:549; rev:8; react:block;)


Also with Flexresp in which file do you put your
variables i.e:

# just stop the offender
    var RESP_TCP resp:rst_snd;

I get the same error when I put this in snort.conf
and replace react:block; with $RESP_TCP in my rules.
I also get the same error with resp:rst_snd; in the
rules.

Any help would be appreciated, thanks!

Rob Ward
Network Northwest Support
University of Liverpool
Computing Services Department

-------------------------------------------------------------------------

This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio
2008.

http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users




      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Flexresp problems Ward, Rob (Feb 19)
- Re: Flexresp problems Zakai Kinan (Feb 19)
- Re: Flexresp problems Todd Wease (Feb 21)
  - Re: Flexresp problems Ward, Rob (Feb 21)
  - Re: Flexresp problems Zakai Kinan (Feb 22)
    - Re: Flexresp problems Todd Wease (Feb 22)
    - Re: Flexresp problems Zakai Kinan (Feb 24)
    - Re: Flexresp problems Jeff Nathan (Feb 25)