Re: (no subject)

[Matt Kettler <mkettler () evi-inc com>]

At 10:11 AM 8/5/2003 -0400, Erek Adams wrote:
> > 1) Can snort detect and drop packet. How do i configure this ?
>
> Yes.
>
> ./configure --with-flexresp

Although it should be noted that flexresp is not actually a packet drop.. 
it's a connection reset.

Flexresp will attempt to attempt to desynchronize and/or reset a 
connection, but may not be entirely reliable against an attacker that knows 
how to cheat and increase his chances of advancing the sequence number 
before it can be affected by flexresp. It's useful for several things, but 
it should never be viewed as a firewall or reliable packet block mechanism 
to be used as a primary line of defense.

If you need absolute true packet dropping, as in eliminating the exact 
packet that caused the alert from ever reaching the destination, you need 
something like hogwash or inline snort.

Snortsam is also close, but it will actually just block all further traffic 
from the host that triggered the alert. Snortsam reconfigures your 
firewall, so there's a small delay, but the source of the alert should be 
blocked out from doing other things as a result. Once the firewall is 
reconfigured by snortsam you've got a reliable and absolute blockade 
(unless your firewall itself is somehow broken)







-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users