Snort mailing list archives

Re: How to make flexresp respond on all existing rules ?

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 10 Jul 2003 21:18:42 -0400

At 06:23 PM 7/10/2003 -0400, Erek Adams wrote:

> Do I manually have to edit all rules that I want a flexresp response for
> (by inserting the string "resp:rst_all"), or is there a way to make
> snort make a flexresp response on any alerts (without editing the rules)
> ?

Edit the rules.

Agreed, he'll have to edit all the rules.. Even if you could do that,rst_all only makes sense in the context of tcp, however there are a lot ofip, udp, and icmp rules in the rules.

of course, the even more important question is why on earth would youwant to do that?


1) The default ruleset FP's a fair amount, so you'll create nuisance resets.

2) An educated attacker can _always_ bypass flexresp, so it offers nosecurity against an attacker that understands how tcp reset packets work.Don't be fooled into thinking you can keep hackers out with flexresp,you'll just slow them down a little.




-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

How to make flexresp respond on all existing rules ? Bo Jacobsen (Jul 10)
- Re: How to make flexresp respond on all existing rules ? Erek Adams (Jul 10)
  - Re: How to make flexresp respond on all existing rules ? Matt Kettler (Jul 10)
- Re: How to make flexresp respond on all existing rules ? Rich Adamson (Jul 10)
  - Re: How to make flexresp respond on all existing rules ? Gary Flynn (Jul 10)