Snort mailing list archives
Re: How to make flexresp respond on all existing rules ?
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 10 Jul 2003 21:57:37 -0400
Rich Adamson wrote:
Also remember that an HTTP connection payload can consist of one packet beyond the initial handshake. And that one packet can do the damage. Resetting the connection after you see the signature and the packet is delivered won't help. Only something like Hogwash or another inline IDS that dropsHopefully you've read the archives to know that flexresp can lead you into a false sense of security as not all intruders actually listen for whateverflexresp might be sending.
the packet before it gets to the target would offer protection. ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How to make flexresp respond on all existing rules ? Bo Jacobsen (Jul 10)
- Re: How to make flexresp respond on all existing rules ? Erek Adams (Jul 10)
- Re: How to make flexresp respond on all existing rules ? Matt Kettler (Jul 10)
- Re: How to make flexresp respond on all existing rules ? Rich Adamson (Jul 10)
- Re: How to make flexresp respond on all existing rules ? Gary Flynn (Jul 10)
- Re: How to make flexresp respond on all existing rules ? Erek Adams (Jul 10)