Re: general custom rules questions

[Jim Forster <jforster () rapidnet com>]

---==On Thu, 28 Feb 2002 16:31:58 -0500, Basil Saragoza wrote==---
> 1. If I want to create my own rules then should I place it in the
> local.rules file or create my own file? (And then use snort -o)
Yes, that's why I added them. - just easier when you update your ruleset to know they won't be overwritten.
(I have now changed it to mylocal.rules for my systems, so installing a new set won't touch my files with the 'default' 
empty one)

> 2. As to the flexresp rules...I understand it is quite dangerous and it can
> cause more harm than good....is there any tutorial or user archive for
> custom written rules?
Flex drops the request, not necessarily the connection.
I make a request for "welcome.html" ok
I make a request for "cmd.exe" a TCP RST is sent
I make a request for "welcome2.html" ok
No firewall rules are changed/added and no black holing of the attacker occurs.

> 3. Let's say I created a flexresp rule for some annoying hostile
> connection,
> O.K., now it's dropped. Then hacker figures out what is going on and
> spoofs
> his address to novell.com address, then I can't block it cause I
You block by the packet content.  This would just mean he couldn't pretend to be from novell and attack you either.  :)

I've had mixed luck with flexresp, from what you've said here, Hogwash may actually be what you're looking for.
--------------------------------------------------------------------
Sleep: A completely inadequate substitute for caffeine.

Jim Forster, jforster () rapidnet com on 02/28/2002
Network Administrator
RapidNet, A Golden West Company



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users