Snort mailing list archives
Re: (no subject)
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 05 Aug 2003 13:53:00 -0400
At 10:11 AM 8/5/2003 -0400, Erek Adams wrote:
> 1) Can snort detect and drop packet. How do i configure this ? Yes. ./configure --with-flexresp
Although it should be noted that flexresp is not actually a packet drop.. it's a connection reset.
Flexresp will attempt to attempt to desynchronize and/or reset a connection, but may not be entirely reliable against an attacker that knows how to cheat and increase his chances of advancing the sequence number before it can be affected by flexresp. It's useful for several things, but it should never be viewed as a firewall or reliable packet block mechanism to be used as a primary line of defense.
If you need absolute true packet dropping, as in eliminating the exact packet that caused the alert from ever reaching the destination, you need something like hogwash or inline snort.
Snortsam is also close, but it will actually just block all further traffic from the host that triggered the alert. Snortsam reconfigures your firewall, so there's a small delay, but the source of the alert should be blocked out from doing other things as a result. Once the firewall is reconfigured by snortsam you've got a reliable and absolute blockade (unless your firewall itself is somehow broken)
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: ICMP Source Quench, (continued)
- RE: ICMP Source Quench Bryan Waters (Jul 07)
- RE: ICMP Source Quench twig les (Jul 07)
- Re: (no subject) Erek Adams (Jul 07)
- (no subject) Ravi (Jul 11)
- (no subject) JP Vossen (Jul 24)
- (no subject) Marc Quibell (Aug 04)
- Re: (no subject) Chris Green (Aug 06)
- RE: (no subject) Miller, Eoin (Aug 04)
- (no subject) RAJNEEL DHOTRE (Aug 05)
- Re: (no subject) Erek Adams (Aug 05)
- Re: (no subject) Matt Kettler (Aug 05)
- Re: (no subject) Patrick S. Harper - CISSP (Aug 05)
- Re: (no subject) Erek Adams (Aug 05)
- (no subject) JP Vossen (Aug 09)
- Re: (no subject) Marc Quibell (Aug 11)
- (no subject) Stefan Eggert (Aug 26)
- Re: (no subject) Stefan Eggert (Aug 26)
- (no subject) marjan purba (Sep 07)
- Re: (no subject) Nick Oliver (Sep 08)
- (no subject) Marc Quibell (Sep 18)
- RE: (no subject) Edward Marshall (Sep 19)
- Re: (no subject) Martin Roesch (Sep 22)
- RE: (no subject) Edward Marshall (Sep 19)