Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proffesional Opinions ---wanted

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 04 Sep 2002 17:47:38 -0400
My personal opinion, and one I've repeated often on the list, is that the greatest danger in flexresp is that it might lead you to believe it is useful in "managing attacks".
An attacker that knows you are using flexresp can actively bypass it by advancing the sequence number. And if someone is actually attacking your network by hand, they will know you're using some kind of flexresp like system pretty quickly. Sure they won't be able to get past it every time, but they can and will be able to get past it some of the time, certainly often enough to succeed if you were counting in flexresp to stop some kiddie from r00ting your box.
Flexresp is a neat little tool, and it's useful for non-security situations, ie: if you're using snort as a bizarre pr0n filter, or as a absolute last ditch effort, but NEVER treat flexresp as a sure thing. I think it also has some place in attempting to defend against theoretical attacks if a signature is generated before a patch to the server code in question can be made.
Flexresp is not a replacement for a well-patched server and properly configured firewall, but as long as you aren't counting on it to provide security it has some uses. 


At 04:20 PM 9/4/2002 -0700, Tim wrote:

Hey ppl,
Just wanted to get some opinions from people with experience with FLEXRESP. I have been toiling with the idea of jumping in and configuring snort with this option in order to manage some of the attacks.
I did re-compile snort with the flexresp option this time, ( curiosity got the better of me ). I made sure to install libnet before I did so. Which went fine...no errors. But I'm not sure if after running ./configure --enable-flexresp if I was supposed to run make and make install again. Any comments or insights to the installation process?
What do you all think....is flexresp worth the effort? What are the pros and cons to this little utility? Your opinions are appreciated....TIA 


Tim-Mia/Fla







-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: