Snort mailing list archives
Re: drop rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 12 Aug 2002 12:04:19 -0400
Drop rules are for tools like hogwash. Bear in mind that hogwash/drop rule type setups can *only* work if your snort box is an in-line two or more interface router, and not just a box on the side acting as a one interface sniffer.
see: http://hogwash.sourceforge.net/Once hogwash decides to drop a packet, there's little or no chance of it passing through the firewall.
Resp rules are for flexresp, an add-on feature that ships with snort but needs to be enabled at compiletime. Flexresp can be used in a sniffer type configuration and does not need to be part of an in-line firewall, but does require that your sniffer connection be able to send packets (no one-way taps or cables). However due to the nature of reset spoofing, flexresp connection resets will never be completely reliable (ie: they can fail, particularly if your attacker is aware of the use of flexresp and is actively trying to advance the sequence number before flexresp can react.)
At 06:18 AM 8/12/2002 -0700, charella constansia wrote:
please correct me if I'm wrong! I thought that the rule action drop didn't exists, or did I miss something, If you want to drop a connectio you have to use the resp option or can you use the drop option. thanks sharella __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- drop rules charella constansia (Aug 12)
- Re: drop rules Matt Kettler (Aug 12)