Snort mailing list archives
Re: react: block
From: Jeff Nathan <jeff () snort org>
Date: Mon, 28 Jul 2003 13:02:33 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, July 25, 2003 13:02 -0400 Matt Kettler <mkettler () evi-inc com> wrote:
Heh, "react: block" basically causes snort to use flexresp to try to reset the connection.
The keywords react and respond use different code.
Of course, if the transfer consists only of one packet, resetting the connection won't matter. Also in the case of very small http'ed images and snort running stream4, you won't likely try to issue a reset until the image is done anyway. Besides.. any skilled attacker can bypass flexresp at will with great ease. IMO, you'd be an absolute fool to use flexresp with any expectations of it working well.
Rarely can things be painted with such a broad brush. There are many shades of gray. It's simply a race. Passive sensors are at an inherent disadvantage when it comes to knocking down a connection as is the case with active response . A passive sensor will realistically have almost no chance of knocking down the connection on the target IP stack by sending a single packet. The odds of winning the race improve slightly when it comes to winning the race by resetting the sending IP stack with a single packet. When it comes to the react keyword the odds of success are much different. The react keyword implements HTTP blocking and must do a great deal more work than the active response implemented within the resp keyword. By sending several packets to both the target and the sender, the odds of successful active response are much better. Also, attempts to desynchronize a TCP connection in addition to trying to knock it down are potentially viable. - -Jeff - -- http://cerberus.sourcefire.com/~jeff (gpg key available) Great spirits have always encountered violent opposition from mediocre minds. - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQE/JYFZEqr8+Gkj0/0RAmerAJwK1QdN5vtyJ2QW7b+e+ZaaOLb3OwCdGA1G janh1TChv2YlCm4PEXCHuOQ= =jiEA -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- react: block Edmund (Jul 25)
- Re: react: block Matt Kettler (Jul 25)
- Re: react: block cc (Jul 25)
- Re: react: block Jason Haar (Jul 26)
- Re: react: block Jeff Nathan (Jul 28)
- Re: react: block cc (Jul 25)
- <Possible follow-ups>
- Re: react: block James Nonya (Jul 25)
- Re: react: block cc (Jul 25)
- Re: react: block Matt Kettler (Jul 25)