Verify TCP reset is actually working

Similar Messages

• IPS 4240 : TCP Reset didn't work properly

  hello all,
  i've created new customer signature to reset for tcp string with testattack.
  for testing, i've configured telnet password using testattack on router's line vty.
  i've tried to connect to the router with testattack password.
  i can see the popup message on the IEV but the telnet session can't disconnect.
  i gueess, the telnet sessio shoud be disconnect due to the signature.
  how can i configure to accoplish this test?
  IPS : Cisco Intrusion Prevention System, Version 5.1(4)S257.0
  Decoded Alarm Context on IEV :
  Decoded alarm context(signature name='My sig' Evend ID=~~~~
  -snip
  From attacker : P ANSI testattc
  Logg from IPS device Manager :
  evIdsAlert: eventId=1177883105267717064 vendor=Cisco severity=high
  originator:
  hostId: SEIPS
  appName: sensorApp
  appInstanceId: 347
  time: 2007년 4월 29일 (일) 오후 10시 06분 55초 offset=0 timeZone=UTC
  signature: description=My Sig id=60000 version=custom
  subsigId: 0
  sigDetails: My Sig Info
  interfaceGroup:
  vlan: 0
  participants:
  attacker:
  addr: 192.168.1.100 locality=OUT
  port: 2269
  target:
  addr: 192.168.2.100 locality=OUT
  port: 23
  actions:
  tcpResetSent: true
  context:
  fromTarget:
  000000 FF FB 01 FF FB 03 FF FD 18 FF FD 1F 0D 0A 0D 0A ................
  000010 55 73 65 72 20 41 63 63 65 73 73 20 56 65 72 69 User Access Veri
  000020 66 69 63 61 74 69 6F 6E 0D 0A 0D 0A 50 61 73 73 fication....Pass
  000030 77 6F 72 64 3A 20 FF FA 18 01 FF F0 word: ......
  fromAttacker:
  000000 FF FD 01 FF FD 03 FF FB 18 FF FB 1F FF FB 1F FF ................
  000010 FA 1F 00 50 00 1E FF F0 FF FA 18 00 41 4E 53 49 ...P........ANSI
  000020 FF F0 74 65 73 74 61 74 74 61 63 ..testattac
  riskRatingValue: 75
  interface: ge0_0
  protocol: tcp
  reagards,
  John.

  I had this issue when I was preparing for my
  CCIE security back in 2006 with IDS version
  4.1 so it may or may not apply to your
  situation. I was using Cisco IDS 4.1 with
  Catalyst 3550s:
  RouterA is connected to F0/1 and vlan 4
  IDS sensing interface is connected to F0/2
  IDS C&C is connected to F0/3 vlan 2
  IDS Sensing interface is connected F0/5
  RouterX is connected to F0/4 vlan 3
  objective: From RouterX, telnet to RouterA.
  When prompt for username, type username.
  When prompt for password, enter "abcd".
  At that time, the IDS will send a tcp reset
  to RouterX thus reset the connection.
  On the catalyst 3550:
  monitor session 1 source vlan 4
  monitor session 1 destination interface f0/5 ingress vlan 4
  that will do the trick.
  what I also found out from my preparation of
  the lab is that is that the IDS will send
  reset about 80% of the time. It did not work
  the other 20% of the time, even though I
  clearly saw it sent tcp reset in the IDS
  event viewer. I also confirmed this
  by running tcpdump on the IDS itself (yes,
  with a trick you can do this). I could
  not figure out why it behaved this way.
  I passed the lab shortly after that so I
  never followed up with it. However, if you
  see a reset in the IEV but the connection
  itself is not reset, probably a bug.

• TCP Reset not working

  I have my man-port on vlan 2 this is our MGT vlan we do not use vlan 1, tcpreset is not work. Below is the step I did to set it up
  1 vlan 1 is up but no ip address on this due to vlan 2 is MGT IP
  2 I have the man-port on vlan 2
  intrusion-detection module 9 management-port access-vlan 2
  3 I ran the tcpdump and noting came back go a pars error.
  can anyone shed light on my problems I'm not sure I have everything config right.
  Thanks

  Not sure what you are asking.
  Sounds like you may be confusing the management port with TCP Reset event action for signatures.
  The TCP Reset packets as event actions for signatures will not be sent out of the management port. They are sent out a TCP Reset port.
  The TCP Reset port is not user configurable or even viewable in Native IOS.
  The configuration you need to worry about is not the management-port but instead the data-ports of the IDSM-2. The data-ports need to be properly configured to monitor the traffic you want to execute the TCP Resets on,

• TCP RESET

  Hi
  How The IDS TCP Reset work. I get configure with the IDM but i need explanation of it. have any drawback of Reset function ??.
  Thanks
  Biplob

  It works differently depending on whether you're in IDS or IPS mode.
  IDS Mode
  When the trigger packet is seen and the alert fires, 100 TCP RST's are sent from the sensors MONITORING port to both the client and server. These 100 RST's have incrementing SEQ/ACK numbers to give us a better chance of actually getting within the current window and effectively resetting the connection on both ends. (It's important to realise that it is not 100% guaranteed to actually RST the connection due to this sliding window). The RST's are obviously sent out with the actual client and server addresses in them to make it look like it came from the other end. Because they're sent out the monitor port, if this is set up using a "span" session on the switch then it's important to make sure you allow inbound packets on that port (by default span ports drop inbound packets).
  IPS Mode
  Because the sensor is now inline, as soon as the signature fires we send one RST to both ends of the connection and then stop transmitting any further packets on that connection.

• I seem to have fixed my problem of randomly occuring errors in my filterwheel control. But I don't know why this should actually work.

  Hi there,
  I am using a thorlabs fw102B filterwheel. It's connected via USB (simulating COM port, that's what it says in MAX). The second device is a camera, also connected via USB. The application is running 24/7, at least that's what it's supposed to do. LabView version is 8.6.
  The LabView code I wrote for this, was never really finished, meaning I totally ignored error handling in the first program version.  That never bothered me, because the program ran for weeks and months without any problem. Whenever I had to reboot my system it was not LabViews fault, but I was changing something else.
  Recently I was running into problems with the filterwheel (after a system reboot). However, I don't understand the error in the first place: The filterwheel is supposed to change position every 15 minutes, in between the camera is taking exposures, then the data is written to an ASCII-file (only ~156 kB). At first the error occured just once: the filterwheel was set to the wrong position for about 15 minutes, which might happen, as it is not really could in counting. A few days later it was in that wrong positon for one hour, so it didn't respond to the "move" order four times in a row. Finally I didn't move at all anymore. The error message I was getting is "0xFFFFFFF unkown status code". In my opinion the communcation to the filterwheel got lost somehow. I don't know a better explantion. 
  But why should it recover after some time?
  The problem usually occured at night, when nobody is there to watch.
  I investigated the behaviour in a second setup (see attachment). There is only the filterwheel connected. Through randomly unplugging the USB or power cable I was able to reproduce 'session handle is not valid', 'unkown status code' and 'session handle lost'. The program enters the 'true case', the session is to be closed and resetted, then it shall be reinitialized. This actually works as soon as the cables are reconnected. But why?
  The close.vi still returns 'session handle is not valid', The reset.vi returns the same, but initialize.vi returns 'No Error' and the system works again.
  What am I not getting here?
  I read some threads here and somebody mentioned for another instrument/problem to use the 'reset' command twice. So I tried 'close-initialize', 'reset-reset-initialize', 'reset-initialize' but only 'close-reset-initialize' works (not surprising). Yet I still get the same errors (probe 1 and 2). Am I introducing more bugs without knowing than I fixed?
  I AM CONFUSED.
  Carsten
  Attachments:
  error_catch.png ‏273 KB

  Hello Ulrich,
  thank you for your answer. Concerning the dataflow I agree and it is what I usually do. Actually I follow the dataflow paradigm whenever there is no problem (the 'false case' in the screenshot):
  “FW102x Initialize.vi” -> “FW102x Get Position.vi” -> “FW102x Set Position.vi”.
  Whenever there is a mistake, this just doesn't work with these drivers. The sequence
  “FW102x Initialize.vi” -> “FW102x Get Position.vi”  -> ///error/// -> “FW102x Close.vi”, “FW102x Reset.vi”  ;; “FW102x Initialize.vi”
  will give me errors for “FW102x Close.vi”, “FW102x Reset.vi”  and “FW102x Initialize.vi” reporting "session handle not valid". However, if I "bypass" the instrument handles directly from the first "Initialize" to "Close" and "Reset", they will report the same error, but the second "Initialize" will work again. I can even merge the first two frames and execute "Close" and "Reset" at the same time to do so. But whenever I try something else, e.g. do the 'correct' wiring, I am unable to close, reset or reinitialize. I have to restart LabView completely, to make the vi work again. So I guess the session is still hanging around somewhere in memory, but I can't access it anymore.
  Surprisingly, wherever I put Probes on the data handle wires they show the correct "ASRL5::INSTR" (with or without correct wiring). But only the "Bypass" wire makes the vi work. Since you couldn't find the drivers in the driver network, I guess they might just run into problems, if an error occurs.
  But thanks for your comment anyway. The problem is fixed for the moment. It's just that I prefer to actually know what I am doing here instead of producing some code I'd rather not show anyone.
  Carsten

• All my PC's and computer(both Apple and Microsoft) will conect to internet except appleTV I have exhausted all resets, It did work yesterday now no connection

  All my PC's and computer(both Apple and Microsoft) will conect to internet except appleTV I have exhausted all resets, It did work yesterday now no connection Has anyone had same problem ?

  Resets are not a solution.  Have you done any actual trouble shooting?  What is the actual symptom you are experiencing?  If you are using WiFi have you tried directly connecting it using a wired connection.

• Need to Enter Real Subtask "Actual Work" and "Actual Finish"

  I am creating a Project file by importing a CSV file.  I need to be able to import both the real Actual Work hours and the real Actual Finish dates contained in the CSV file.  Somehow Project ties these two together for finished Subtasks: 
  entering the Actual Work sets the Actual Finish.  And entering the Actual Finish clears the Actual Work.
  Is there a sequence to enter those for a Subtask, and display what is in the CSV file, rather than what Project wants to compute?

  andyrice,
  If you set the % Work Complete field to 100%, then the Actual Finish field should not be empty. Do you have automatic calculation turned off? Are you using manual scheduling mode?
  For the test sequence I ran, my task type is Fixed Work. I set % Work Complete to 100%. At that point Project assumes the task finished as planned so it sets the Actual Finish date to be the Finish date and the Actual Work to equal the Work. Now you need
  to adjust the work and finish date. If you simply change the value in the Actual Work field, Project will reset the % work complete if the actual work value does not equal the Work field (remember, task is fixed work). So to "replan" the task to what actually
  happened, you must update the Work field with the actual work value. Finally, if the Actual Finish is not the Finish, then the Actual Finish date must be updated. Try that.
  Project's scheduling equation is:
  Duration = Work/Units.
  John

• Does commit_option_B actually work in SP2

  I am not sure if commit_option_B actually works in SP2. I specified it in
  ias_ejb_jar.xml <pool-manager> section as COMMIT_OPTION_B and based on my
  trace log, it does not seem to work. For a method I specifiy
  <trans-attribute> as NotSupported, it still call ejbLoad very time I envoke
  the method. Can I use kregedit to verify that the commit option is actually
  set ?
  Thanks for your help.
  Xiaolong Hao

  Hi,
  I don't think even you do commit work it makes much difference and also Commit work also we can eliminate in the code.one more option is selecting the data from table to check whether it is updated or not.
  IF WA_ZMM_GATE_ENTRY-GR_NUMBER IS INITIAL.
        WA_ZMM_GATE_ENTRY-REFERENCE = GS_EXDATA_HEADER-REFERENCE.
        WA_ZMM_GATE_ENTRY-REFWERKS  = GS_EXDATA_HEADER-WERKS.
        WA_ZMM_GATE_ENTRY-GR_NUMBER = IS_MKPF-MBLNR.
       WA_ZMM_GATE_ENTRY-GR_YEAR   = IS_MKPF-MJAHR.
       MODIFY ZMM_GATE_ENTRY FROM WA_ZMM_GATE_ENTRY .u201Dupdating the Z-table
    IF sy-subrc eq 0.
    do.
  select gr_number from ZMM_GATE_ENTRY where reference = GS_EXDATA_HEADER-REFERENCE.
  if sy-subrc eq 0 and if gr_number is not initial. (record Found)-> means updated.
  exit.
  else.
  MODIFY ZMM_GATE_ENTRY FROM WA_ZMM_GATE_ENTRY.
  endif.
  enddo.
  endif.
  ELSE.
        MESSAGE E901(ZMM) WITH GS_EXDATA_HEADER-GATEENTRYNO WA_ZMM_GATE_ENTRY-GR_NUMBER.
      ENDIF.
  Regards,
  Nagaraj

• IDSM-2 TCP reset

  Hi,
  I have been trying to figure out how to get TCP reset working in IDSM-2.
  Switch config,
  monitor session 2 destination intrusion-detection-module 9 data-port 1
  monitor session 2 source remote vlan 99
  Custom testattack signature,
  Log shows the signature has been triggered,
  On the attacker, I ran a wireshark capture, but did not see any attempt to reset the TCP session.
  Any idea what did I mis-configure ?
  From what I have read, for native IOS, I don't have to configure anything for the TCP reset interface System0/1.
  Regards.

  Hi,
  IDSM2 has a separate tcp-reset interface - System0/1 .In IDSM2, there is no need to explicitly configure the TCP Reset interface. The TCP Reset interface is automatically added to all necessary VLANs by the switch.
  Once a signature is configured to perform the reset action, and if this is triggered, the reset will be sent out the reset port with the appropriate vlan tag attached. From the switch this is  then sent to the appropriate vlan. 
  Thanks and Regards,
  Thulasi Shankar

• TCP Reset Feature

  Hi!
  I would like to realize the reset of a single TCP connection (Ip adress + port number) using a
  CISCO IDS 4235,Version 4.1(5)S194, with a
  PIX 520, IOS Version 6.3(3) and a
  4500 router, IOS Version 12.0(8b).
  Is it really possible by this hardware?
  I think I need at least ROUTER IOS version 12.2(15), but I cannot do this upgrade on my device. Is it true?
  Is the PIX able of resetting the single connection? Maybe IOS Ver 7.00 needed?
  It's possible to upgrade PIX 520 ?
  Thank you in advance!

  TCP reset feature on the IDS by default will send out a TCP reset through the sniffing interface.
  However, it sounds like you are talking about shun connection rather than tcp reset. A shun will effectively block the connection by applying a filter (rather than a packet to terminate the connection), it does this by applying this filter on your router or PIX.
  On the PIX this is achieved through a filter function called a shun command. This is actually available on the version of PIX you are running (6.3.x)
  On the Router an ACL is applied on an interface.
  I hope that helps.
  -jonathan

• TCP Reset by appliance

  Hi everyone,
  I am unable to connect to ASA via ASDM it used to work before
  here are logs
  sh log | inc 12345
  Feb 17 2015 20:50:25: %ASA-6-302013: Built inbound TCP connection 282191 for inside:10.0.0.10/51232 (10.0.0.10/51232) to identity:10.0.0.1/12345 (10.0.0.1/12345)
  Feb 17 2015 20:50:25: %ASA-6-302014: Teardown TCP connection 282191 for inside:10.0.0.10/51232 to identity:10.0.0.1/12345 duration 0:00:00 bytes 578 TCP Reset by appliance
  Feb 17 2015 20:50:25: %ASA-6-302013: Built inbound TCP connection 282192 for inside:10.0.0.10/51233 (10.0.0.10/51233) to identity:10.0.0.1/12345 (10.0.0.1/12345)
  Feb 17 2015 20:50:25: %ASA-6-302014: Teardown TCP connection 282192 for inside:10.0.0.10/51233 to identity:10.0.0.1/12345 duration 0:00:00 bytes 578 TCP Reset by appliance
  SA1#               sh run asdm
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  pri/act/ASA1# sh run http
  http server enable 12345
  http 10.10.10.0 255.255.255.0 inside
  http 10.0.0.0 255.255.255.0 inside
  http 10.0.0.0 255.255.255.0 outside
  PC  IP 10.0.0.10
  ASA IP 10.0.0.1
  Gives error unable to launch device .
  Regards
  MAhesh

  Issue was solved by installing correct java version 8.
  Regards
  Mahesh

• TCP Reset Confusion

  I have confiugred TCP string signature to reset the connection when user try to open certain URL.
  I have configured no device for blocking action.
  but still i am able to block. Why it is so, How IPS able to block URL.
  Please let me know is TCP reset require any device to be in blocking list or IPS itself send the reset packet to user.

  The option is not configurable for Firewalls(or a Cat 6K switch as well).
  This is because the option is only applicable to the Routers.
  With Routers you have to choose whether to do Blocking or Rate Limiting or both.
  With the Firewalls (and Cat 6K Switches) the only thing you can do is Block. Since the only thing you can do is Block, it is not necessary to select it. The parameter just simply doesn't exist for the Firewall because it is unnecessary.
  This is a bug in IDM. IDM re-used the Router screen for Firewalls and greyed out the field, but it should have creatd a new Screen for Firewalls and left it completely out.
  As for why shunning to the Firewall is not working, here are a few things to try.
  1) Through IDM add an address to Shun/Block. Then check the Firewall with a "show shun" command to see if the address was shunned. If not proceed to step 2.
  2) Execute "show events past 00:05:00" to look at the events for the past 5 minutes. FInd the event where you added the shun/block, and look to see if there were any errors after it.
  3) Execute "show stat network-access" and look to see what is reported for your Pix. It may report an error as to why it can't connect.
  If there is still no luck figuring out why it can't connect then try:
  4) In the shun/block configuration screens there should be a Block Enable option that you can set to False and Apply the configuration. This should force the sensor to disconnect from all Shun/Block devices.
  5) Execute "show events" in a CLI connection and keep it running.
  6) Now set Block Enable back to True and Apply the configuration.
  7) Look back at the "show events" output and look for any messages about the sensor connecting to the Firewall to see if an Error is generated.
  I also remember a bug in an older version, that I believe is fixed in newer service packs.
  Execute "show shun" on the Firewall and see if there are any existing shuns.
  Remove any existing shuns on the Firewall with the "no shun" command.
  And then try numbers 4-7 again.
  There were special cases where some existing shun entries caused a problem on the sensor because newer Pix versions modified how they output the shun list.
  If clearing out the shun list fixed your problem, then you may have been hitting this bug, and you may need to upgrade your sensor in order to keep from hitting it in the future.

• HT3964 Finally got to the reset SMC step and this worked. Powered the Mac Book Pro A1150 on the following morning and again grey screen and this time the SMC reset refuses to work!

  After following the Apple knowledge base support notes on resetting the SMC I finally got to the reset SMC step and this worked. Powered the Mac Book Pro A1150 back up on the following morning and again grey screen and this time the SMC reset refuses to work!
  The battery still as before indicates not charging and no lights on the battery pack confirm this along with the system profiler which suggests the battery should be replaced. The charger itself actually works ok.
  Any further advice would be useful.

  Replace the battery.
  AHT  http://support.apple.com/kb/HT1509
  Genius reservation http://www.apple.com/retail/geniusbar/
  on-line https://getsupport.apple.com/GetproductgroupList.action
  check warranty https://selfsolve.apple.com/agreementWarrantyDynamic.do

• How to show no. of actual working days in Payslip in case of +ve time mgt

  Dear Experts,
  We have a requirement of showing no. of actual working days in payslip, which should be Calendar Days-(Paid+Unpaid absence). I created an w/t 1WRD for actual working days. Our paid absence w/t is 2006 and unpaid absence is 2005 copied from /845 and /846 respectively, both the absences are included in absence valuation table and working fine in that respect. But issue is i wrote a small PCR for calculating actual working days like below:
  ZWRD
       NUM=TKSOLL Set
       NUM-E 2005
       NUM-E 2006
      ADDWTE1WRD
  But still its fetching full working days i.e. calendar days 30 or 31 not deducting paid or unpaid absence for a month.
  Pls help, what else should i do.
  Regards
  Tan

  Sorry, i am unable to paste RT, but its exactly as below
  01, April, 2011
  1WRD Working days     30.00
  2006  Paid Absence       2.00                
  02, May, 2011
  1WRD Working days     31.00
  2005  Unpaid Absence   1.00                 
  regards
  Tan

• What is the difference between Wine, Wineskin, Winery and Wine Bottler, and how do I get Wine to *ACTUALLY* work in Mountain Lion?

  Ok, so this is my first post here and I am admittedly terrible at forums. Someone might say, "This was addressed in the ___________ thread by __________! Go read it!" --- that may be so but I've spent enough hours trying to google this problem into submission to no avail based on what is apparently working for others, so I would like a chance to get specific answers to specific questions that aren't from Mar 2011, etc.
  So first of all, I'm confused by all the various Wine programs/apps/whatevers. I've seen Wine, Wineskin, Winery, Wine Bottler, and at this point I wouldn't be surprised if there are even more than that. What's the difference between all of these and how do they work with one another? What do I actually need to get windows programs working?
  All of my google searches have led me to people giving out fish, but no one giving out fishing lessons. I'm not a pro at mac and windows and all that, but I'm a fairly bright individual who gets VERY frustrated, very quickly, when I don't understand the why and how of something I'm attempting.
  I've also found "answers" where the person attempting to help starts off helpful enough, but degrades into the most archaic of techno-babble after about 5-6 sentences. On the other hand, I've watched tutorials on youtube where the poster decides to skip (apparently crucial) sections of the tutorial, and mutters such gems as: "... you might wanna have to run Wine first before you can do anything, cuz I think it has to configure it and set up a bunch of stuff" 
  O.o
  A happy medium between techno-babble and the most basic of explanations would be ideal for me, and I'd imagine for others as well.
  Here is a summarized history of my relationship with Wine:
  Diablo II - I downloaded this awesome thing which ended up being... uh... I guess Diablo II in a Wineskin "wrapper". I'm not sure, all I know is that it's a D2 icon, and if I go to 'show package contents', it's got C drive, Program Files, et cetera inside of it. I double click it, it launches D2, and it works like a dream. <3
  'Vanilla Install' - That's what I heard someone call it. It was the command/terminal style install using xquartz and xcode found at http://www.davidbaumgold.com/tutorials/wine-mac/. I followed every instruction to the letter, and got all the way to '$ sudo port install wine', at which point it started going smoothly, free from the possible error he described regarding the installation of xcode, and then just failed after I left the room to use the restroom and came back. Please don't ask me to repeat what the error was, because honestly, after reading more things on the interwebs, I'm confused as to why it's even necessary to go through all of that, so I'd rather not try that route again anyways, rendering the error message quite possibly irrelevant.
  Wine + Wine Bottler - So I decided to try to seek out an easier method, as I know that one must exist that doesn't involve command lines. I found a video tutorial at http://www.youtube.com/watch?v=m0BBkISOcEA, and oh man would it be great if that method had actually worked. Again, I followed all instructions provided to procure my free fish, and at the point in the video where he declares that "xquarts or x11 will open" - it doesn't open. Nothing opens. I was trying to install Star Sonata, btw.
  So here I am, thoroughly worn out, frustrated at all the random places Wine is installed on my mac now, and just want someone to explain it all, from top down, without getting toooooooo technical on me. I know that might be asking a lot...

  ## I know that the poster has already found a solution, but the following is a possible answer for others that have similar issues.
  For Winebottler, just go to their website and download it. Run the program. Choose .wine as your prefix (best choice) or whatever suits you best. You'll need a functional X11. If you can't use the one that comes with your mac, download the latest one from the website.
  If your issue is one with Winebottler's Wine not running correctly due to X11, then you have a pretty ugly problem, although a simple upgrade is the best solution (Upgrade XQuartz.app).
  http://www.davidbaumgold.com/tutorials/wine-mac/#part-1
  The above website is the easiest way to get REAL wine on your computer. First of all, Wineskin WInery, etc. are NOT WINE. They are 3rd party apps that may use Wine or may have originally part of Wine, but they are no longer up to date with Wine. WineBottler is currently up to date with the stable releases of Wine (but not the maintenence releases).
  For the website tutorial and to run Wine on your mac without using a thrid party app, you will need to know a few things.
  First, you will need to know basic control of the command line. That means, sudo (you must know the administrator password to your computer), and the forms of cd (change directory).
  Second, you will need Xcode. Download 4.2 (stable) or whatever other versions you want, but beware: It is over 1 GB, and you will need time for it to work.
  Third, you will need to get MacPorts and configure it. The tutorial should have this data.
  When you download wine (use sudo port install wine-devel for the latest development release of wine), it will first download a lot of dependencies. This will take a while. After that, it will download wine itself.
  After obtaining wine, to run a program, open the terminal.app window.
  cd desktop/XYZ/ZYZ\ WRQ
  The above will first enter the desktop, then folder XYZ, then folder ZYZ WRQ. From here,
  wine th11e.exe
  Or whatever executable you are trying to open. (Using Subterranean Animism as my example).
  It should, in theory, run the program. Watch the terminal for errors. If there is an X11 problem, then it's not wine acting up. If the app crashes or has other issues, check the Wine Application Database to see if your app is compatible with wine.
  If you have any further questions or other things, feel free to reply; I may or may not get back to you, but there's a good chance that someone will come in eventually. Otherwise, the Wine Wiki should have some information.