Snort mailing list archives
Re: Documentation suggestions regarding the unreliability flexresp.
From: Jeff Nathan <jeff () snort org>
Date: Mon, 28 Jul 2003 12:44:21 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When flexresp2 is ready, it will be accompanied by new documentation. - -Jeff - --On Friday, July 25, 2003 13:17 -0400 Matt Kettler <mkettler () evi-inc com> wrote:
It seems to be a common misunderstanding that flexresp actually works well and is usable as a reliable alternative to a firewall. Certainly nobody that understands how flexresp works would be foolish enough to think of it as a firewall alternative, but the documentation that comes with snort fails to make it clear that flexresp can be bypassed 100% of the time by a skilled attacker, and that it may not even work relaibly against "routine" traffic. I'd suggest that all the documentation regarding flexresp be updated to have at least some mention of the fact that it is unreliable. docs/README.FLEXRESP is a VERY obvious target that should have a mention of this. I'd also suggest that the "react:block" in the web documentation have some mention of it. http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.24 Something along the lines of this would be appropriate: "It should be noted that the Flexresp mechanism is not a reliable one and should be treated as a "last resort" type option. If a skilled attacker is aware that flexresp is being used he can craft his packets to be able to evade flexresp with near 100% chance of success. Thus in the case of a skilled attacker flexresp will merely slow the attacker down by thwarting his "first try". This might give you some time you have to respond before he modifies his attack to get around it, but it will not stop a carefully crafted second try at the attack. Even in the case of an automated script, there is always a small chance that flexresp will fail to be able to close the connection before it is too late, so it cannot be relied upon as a sole defense against worms and scripts either.". ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/ 01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
http://cerberus.sourcefire.com/~jeff (gpg key available) Great spirits have always encountered violent opposition from mediocre minds. - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/JX0WEqr8+Gkj0/0RAncBAJ9fdM65V686lgFOl4oKJIFDpHO5yQCgk++G WIbxiM+s26MCVPVvMSxiUDY= =3Ai/ -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Documentation suggestions regarding the unreliability flexresp. Matt Kettler (Jul 25)
- Re: Documentation suggestions regarding the unreliability flexresp. Rich Adamson (Jul 25)
- Re: Documentation suggestions regarding the unreliability flexresp. Matt Kettler (Jul 25)
- Re: Documentation suggestions regarding the unreliability flexresp. Jon Baer (Jul 27)
- RE: Documentation suggestions regarding the unreliability FlexRESP. Michael Steele (Jul 27)
- Re: Documentation suggestions regarding the unreliability flexresp. Jeff Nathan (Jul 28)
- <Possible follow-ups>
- RE: Documentation suggestions regarding the unreliability flexresp. Schmehl, Paul L (Jul 25)
- RE: Documentation suggestions regarding the unreliability flexresp. Rich Adamson (Jul 27)
- Re: Documentation suggestions regarding the unreliability flexresp. Rich Adamson (Jul 25)