Snort mailing list archives
RE: flex response
From: "Abe L. Getchell" <abegetchell () home com>
Date: Thu, 13 Dec 2001 01:04:21 -0500
Hey Neil, FlexResponse doesn't actually 'block' connections, it uses spoofed RST's (when TCP traffic trips a flexresp enabled rule) and ICMP error messages (when UDP traffic trips a flexresp enabled rule) to fool the offending machine into thinking that the box on the other end is tearing down the connection for some reason (TCP) or that the network/box/port doesn't exist or isn't open (UDP). If you want to _block_ connections using Snort, you could always look at one of a couple of utilities which are designed to dynamically update firewall policies, like you mention in your e-mail. I believe code exists to do this for IPChains, IPTables, and Checkpoint FireWall-1. A search on Google for the subject should give you plenty of leads. That being said, the idea of doing this scares me because you're allowing the augmentation of your firewall policy by traffic an attacker is generating and send into your network, putting the (limited) control of a component of your security infrastructure in his/her hands. Most of the code out there does offer some kind of 'white list' functionality, so that's at least somewhat reassuring. Still gives me goose bumps though... Thanks, Abe -- Abe L. Getchell Security Engineer abegetchell () home com
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ronneil Camara Sent: Wednesday, December 12, 2001 5:05 PM To: snort-users () lists sourceforge net Subject: [Snort-users] flex response Hi guys, me again. I need to know how flex response can block attacks? I don't know if it's a good idea to enable it. But how does it block attacks? What about preventing snort's flex response to not block a specific network, it it possible like by using white list? Does this flex response work in conjuction with a firewall to block the attack? If so, what firewalls are supported? Thanks. Neil _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Flex Response agetchel (Oct 10)
- Re: Flex Response Dilli Rajesh Kumar (Oct 10)
- <Possible follow-ups>
- RE: Flex Response agetchel (Oct 10)
- Re: Flex Response Dilli Rajesh Kumar (Oct 10)
- flex response Ronneil Camara (Dec 12)
- Re: flex response Fyodor (Dec 12)
- RE: flex response Abe L. Getchell (Dec 12)
- RE: flex response Ronneil Camara (Dec 12)