Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flex Resp

From: Neil Dickey <neil () geol niu edu>
Date: Mon, 13 Aug 2001 13:46:17 -0500 (CDT)

"Larry E. Smith Jr." <lsmithjr () monster-solutions net> wrote asking:


What is the benefit of compiling snort with Flex Resp?


"Flex Resp" allows Snort to respond to a packet of some particular
description in addition to logging it.  The rules pages on the
Snort website give more detail, but one possibility is that on
receipt of a CodeRedII packet the Snort machine could send a reset
packet both to the source machine and the receiving machine, thereby
terminating the exchange before it would normally have ended.

There are potential problems, however, and the "Flex Resp" capability
should be used with some caution.  Depending on the nature of the
attack, "Flex Resp" can initiate a packet storm which can make your
logs unbelievably huge in really short periods of time -- not to
mention the bandwidth consumed by the traffic.  In short, you can
DOS yourself with it if you're not careful.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: