Snort mailing list archives

RE: flex response

From: "Abe L. Getchell" <abegetchell () home com>
Date: Thu, 13 Dec 2001 01:04:21 -0500

Hey Neil,

FlexResponse doesn't actually 'block' connections, it uses spoofed RST's
(when TCP traffic trips a flexresp enabled rule) and ICMP error messages
(when UDP traffic trips a flexresp enabled rule) to fool the offending
machine into thinking that the box on the other end is tearing down the
connection for some reason (TCP) or that the network/box/port doesn't
exist or isn't open (UDP).

If you want to _block_ connections using Snort, you could always look at
one of a couple of utilities which are designed to dynamically update
firewall policies, like you mention in your e-mail.  I believe code
exists to do this for IPChains, IPTables, and Checkpoint FireWall-1.  A
search on Google for the subject should give you plenty of leads.

That being said, the idea of doing this scares me because you're
allowing the augmentation of your firewall policy by traffic an attacker
is generating and send into your network, putting the (limited) control
of a component of your security infrastructure in his/her hands.  Most
of the code out there does offer some kind of 'white list'
functionality, so that's at least somewhat reassuring.  Still gives me
goose bumps though...

Thanks,
Abe

--
Abe L. Getchell
Security Engineer
abegetchell () home com

-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of 
Ronneil Camara
Sent: Wednesday, December 12, 2001 5:05 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] flex response

Hi guys, me again.

I need to know how flex response can block attacks? I don't 
know if it's a good idea to enable it. But how does it block 
attacks? What about preventing snort's flex response to not 
block a specific network, it it possible like by using white 
list? Does this flex response work in conjuction with a 
firewall to block the attack? If so, what firewalls are supported?

Thanks.

Neil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/s> nort-users

Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=ort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Flex Response agetchel (Oct 10)
- Re: Flex Response Dilli Rajesh Kumar (Oct 10)
- <Possible follow-ups>
- RE: Flex Response agetchel (Oct 10)
  - Re: Flex Response Dilli Rajesh Kumar (Oct 10)
- flex response Ronneil Camara (Dec 12)
  - Re: flex response Fyodor (Dec 12)
  - RE: flex response Abe L. Getchell (Dec 12)
- RE: flex response Ronneil Camara (Dec 12)