RE: Documentation suggestions regarding the unreliability FlexRESP.

["Michael Steele" <michaels () winsnort com>]

FlexRESP has never worked properly. Is it really prudent to keep this as
part of Snort? They removed Spade, with a lot of uproar, and it finally died
down, so I'm assuming that removing FlexRESP would have much less backlash.

FlexRESP gives almost every new Snort user the impression that Snort has
some sort of firewall capability. There are other products out there that
are far more capable of doing what FlexRESP is supposed to be doing and
doing it correctly.

Disclaimer: This response is not meant to stir anything up and is only my
personal thoughts.

Cheers...

-Michael Steele
-- 
 System Engineer / Security Support Technician     
 mailto:michaels () winsnort com    
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Jon Baer
Sent: Friday, July 25, 2003 2:19 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Documentation suggestions regarding the
unreliability flexresp.

i agree ... but in which cases do a flexresp even make sense to use?
honeypot plugins?

im not actually using it but toying w/ it and an open dhcp server on the
network to make some type of deterence possible.  it would be nice to have
the ability to respond w/ur own crafted packets for other things but im sure
thats why the mechanism was implemented to begin with, its just that u can't
do much with it now as is.

- jon

pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47


----- Original Message ----- 
From: "Matt Kettler" <mkettler () evi-inc com>
To: <snort-users () lists sourceforge net>
Sent: Friday, July 25, 2003 10:17 AM
Subject: [Snort-users] Documentation suggestions regarding the unreliability
flexresp.


> It seems to be a common misunderstanding that flexresp actually works well
> and is usable as a reliable alternative to a firewall.
>
> Certainly nobody that understands how flexresp works would be foolish
> enough to think of it as a firewall alternative, but the documentation
that
> comes with snort fails to make it clear that flexresp can be bypassed 100%
> of the time by a skilled attacker, and that it may not even work relaibly
> against "routine" traffic.
>
> I'd suggest that all the documentation regarding flexresp be updated to
> have at least some mention of the fact that it is unreliable.
>
> docs/README.FLEXRESP is a VERY obvious target that should have a mention
of
> this. I'd also suggest that the "react:block" in the web documentation
have
> some mention of it.
>
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.24
>
> Something along the lines of this would be appropriate:
>
> "It should be noted that the Flexresp mechanism is not a reliable one and
> should be treated as a "last resort" type option. If a skilled attacker is
> aware that flexresp is being used he can craft his packets to be able to
> evade flexresp with near 100% chance of success. Thus in the case of a
> skilled attacker flexresp will merely slow the attacker down by thwarting
> his "first try". This might give you some time you have to respond before
> he modifies his attack to get around it, but it will not stop a carefully
> crafted second try at the attack. Even in the case of an automated script,
> there is always a small chance that flexresp will fail to be able to close
> the connection before it is too late, so it cannot be relied upon as a
sole
> defense against worms and scripts either.".
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users