Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: react: block

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 25 Jul 2003 13:02:47 -0400
At 06:12 PM 7/25/2003 +0800, Edmund wrote:

Isn't the "react: block;" option supposed to block all further
attempts at sending/receiving information based on the snort rule?

Here's an attempt to block Google's image:

alert tcp any 80 <> any any ( content: "/images/hp"; \
                              msg: "Blocked Google image" \
                              react: block;)

The message is displayed in the log but the image still goes
through.  Did I misunderstand something rather important regarding
this feature?

Any help appreciated.
Heh, "react: block" basically causes snort to use flexresp to try to reset the connection.
Of course, if the transfer consists only of one packet, resetting the connection won't matter.
Also in the case of very small http'ed images and snort running stream4, you won't likely try to issue a reset until the image is done anyway.
Besides.. any skilled attacker can bypass flexresp at will with great ease. IMO, you'd be an absolute fool to use flexresp with any expectations of it working well. 





-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: